diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx
index 88a19567666b24..c0371a3652a861 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx
@@ -7,6 +7,8 @@ banner:
content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors.
---
+import { Tabs, TabItem } from "~/components";
+
Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare.
Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/).
@@ -26,12 +28,30 @@ Zero Trust will indicate if a certificate is ready for use in inspection based o
To generate a new Cloudflare root certificate for your Zero Trust organization:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
2. In **Certificates**, select **Manage**.
3. Select **Generate certificate**.
4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days.
5. Select **Generate certificate**.
+
+
+
+
+Send a `POST` request to the [Create Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/create/) endpoint.
+
+```sh
+curl --request POST \
+https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates \
+--header "Authorization: Bearer "
+```
+
+The API will respond with the ID and contents of the new certificate.
+
+
+
The certificate will appear in your list of certificates as **Inactive**. To download a generated certificate, select it, then choose **Download .pem** and/or **Download .crt**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate).
Each Zero Trust account can generate a new root certificate a maximum of three times per day.
@@ -39,25 +59,66 @@ Each Zero Trust account can generate a new root certificate a maximum of three t
## Activate a root certificate
:::note
-Zero Trust accounts using the Cloudflare certificate prior to 2024-10-17 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after 2024-10-17 will use an available certificate by default.
+Zero Trust accounts using the default Cloudflare certificate prior to 2024-10-17 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after 2024-10-17 will use an available certificate by default.
:::
Once a certificate is generated in or uploaded to Zero Trust, you need to activate it. Activating a certificate deploys it across the Cloudflare network. You can have up to 25 available certificates at once.
To activate your root certificate:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
2. In **Certificates**, select **Manage**.
3. Select the certificate you want to activate.
4. Select **Activate**.
+
+
+
+
+Send a `POST` request to the [Activate a Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/) endpoint.
+
+```sh
+curl --request POST \
+https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate \
+--header "Authorization: Bearer "
+```
+
+
+
The status of the certificate will change to **Pending** while it deploys. Once the status of your certificate is **Available**, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) or [manually](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/).
Once you deploy and install your certificate, you can turn it on for use in inspection:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
2. In **Certificates**, select **Manage**.
3. Select the certificate you want to turn on.
4. In **Basic information**, select **Confirm and turn on certificate**.
+
+
+
+
+Send a `PUT` request to the [Update Zero Trust account configuration](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/update/) endpoint. For example:
+
+```sh
+curl --request PUT \
+'https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration' \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
+--data '{
+ "settings": {
+ "certificate": {
+ "id": "",
+ "in_use": true
+ }
+ }
+}'
+```
+
+
+
You can set multiple certificates to **Available**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Available** and prevent them from being used for inspection until turned on again.