From 17df08e32a01167bcb379bcf5473cc2975b88248 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 9 Jan 2025 16:26:40 -0600 Subject: [PATCH 1/5] Add create cert API call --- .../user-side-certificates/index.mdx | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 88a19567666b248..6fc801c237b7e2c 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -7,6 +7,8 @@ banner: content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- +import { Tabs, TabItem } from "~/components"; + Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). @@ -26,12 +28,30 @@ Zero Trust will indicate if a certificate is ready for use in inspection based o To generate a new Cloudflare root certificate for your Zero Trust organization: + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. 2. In **Certificates**, select **Manage**. 3. Select **Generate certificate**. 4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days. 5. Select **Generate certificate**. + + + + +Send a `POST` request to the [Create Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/create/) endpoint. For example: + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +``` + +The API will respond with the ID and contents of the new certificate. + + + The certificate will appear in your list of certificates as **Inactive**. To download a generated certificate, select it, then choose **Download .pem** and/or **Download .crt**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate). Each Zero Trust account can generate a new root certificate a maximum of three times per day. From 6ef939648106929749d510bb2b3989a3e5b9c0cf Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 9 Jan 2025 16:56:21 -0600 Subject: [PATCH 2/5] Add activate cert API call --- .../user-side-certificates/index.mdx | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 6fc801c237b7e2c..c6a2a659c42413b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -40,7 +40,7 @@ To generate a new Cloudflare root certificate for your Zero Trust organization: -Send a `POST` request to the [Create Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/create/) endpoint. For example: +Send a `POST` request to the [Create Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/create/) endpoint. ```sh curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates \ @@ -66,11 +66,27 @@ Once a certificate is generated in or uploaded to Zero Trust, you need to activa To activate your root certificate: + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. 2. In **Certificates**, select **Manage**. 3. Select the certificate you want to activate. 4. Select **Activate**. + + + + +Send a `POST` request to the [Activate a Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/) endpoint. + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +``` + + + The status of the certificate will change to **Pending** while it deploys. Once the status of your certificate is **Available**, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) or [manually](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/). Once you deploy and install your certificate, you can turn it on for use in inspection: From 337e5fa22a8868c337a4f1b43cc2206f2399b771 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 9 Jan 2025 17:21:42 -0600 Subject: [PATCH 3/5] Add set cert to in-use API call --- .../user-side-certificates/index.mdx | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index c6a2a659c42413b..3dce7abfd12ce48 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -59,7 +59,7 @@ Each Zero Trust account can generate a new root certificate a maximum of three t ## Activate a root certificate :::note -Zero Trust accounts using the Cloudflare certificate prior to 2024-10-17 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after 2024-10-17 will use an available certificate by default. +Zero Trust accounts using the default Cloudflare certificate prior to 2024-10-17 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after 2024-10-17 will use an available certificate by default. ::: Once a certificate is generated in or uploaded to Zero Trust, you need to activate it. Activating a certificate deploys it across the Cloudflare network. You can have up to 25 available certificates at once. @@ -91,9 +91,34 @@ The status of the certificate will change to **Pending** while it deploys. Once Once you deploy and install your certificate, you can turn it on for use in inspection: + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. 2. In **Certificates**, select **Manage**. 3. Select the certificate you want to turn on. 4. In **Basic information**, select **Confirm and turn on certificate**. + + + + +Send a `PUT` request to the [Update Zero Trust account configuration](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/update/) endpoint. For example: + +```sh +curl --request PUT \ +'https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration' \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "settings": { + "certificate": { + "id": "d1b364c5-1311-466e-a194-f0e943e0799f", + "in_use": true + } + } +}' +``` + + + You can set multiple certificates to **Available**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Available** and prevent them from being used for inspection until turned on again. From e08319a1840b45650eb12d1328f32f3f012a4975 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 10 Jan 2025 10:24:45 -0600 Subject: [PATCH 4/5] Add placeholder for cert ID --- .../connect-devices/user-side-certificates/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 3dce7abfd12ce48..289f03a6aa170c0 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -112,7 +112,7 @@ curl --request PUT \ --data '{ "settings": { "certificate": { - "id": "d1b364c5-1311-466e-a194-f0e943e0799f", + "id": "", "in_use": true } } From c52ed02c6bd7ff10bee8f46cb6f1d43e5c16c545 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 10 Jan 2025 12:47:46 -0500 Subject: [PATCH 5/5] Apply suggestions from code review Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- .../connect-devices/user-side-certificates/index.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 289f03a6aa170c0..c0371a3652a861c 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -43,9 +43,9 @@ To generate a new Cloudflare root certificate for your Zero Trust organization: Send a `POST` request to the [Create Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/create/) endpoint. ```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +curl --request POST \ +https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates \ +--header "Authorization: Bearer " ``` The API will respond with the ID and contents of the new certificate. @@ -80,9 +80,9 @@ To activate your root certificate: Send a `POST` request to the [Activate a Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/) endpoint. ```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +curl --request POST \ +https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate \ +--header "Authorization: Bearer " ```