diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx index 71f7d9ac0ff457..8affd8a79afbcf 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx @@ -17,6 +17,13 @@ import { AvailableNotifications, Details, Render } from "~/components" [Cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/) are a combination of ciphers used to negotiate security settings during the [SSL/TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). As a SaaS provider, you can [specify configurations for cipher suites](#cipher-suites) on your zone as a whole and cipher suites on individual custom hostnames via the API. + +:::caution +When you [issue a custom hostname certificate](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) with wildcards enabled, any cipher suites or Minimum TLS settings applied to that hostname will only apply to the direct hostname. + +However, if you want to update the Minimum TLS settings for all wildcard hostnames, you can change Minimum TLS version at the [zone level](/ssl/edge-certificates/additional-options/minimum-tls/). +::: + ## Enable mTLS Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) with a few clicks. @@ -41,7 +48,7 @@ Currently, you cannot add mTLS policies for custom hostnames using [API Shield]( :::note -While TLS 1.3 is the most recent and secure version, it is not supported by some older devices. Refer to Cloudflare's recommendations when [deciding what version to use](/ssl/reference/protocols/#decide-which-version-to-use). +While TLS 1.3 is the most recent and secure version, it is not supported by some older devices. Refer to Cloudflare's recommendations when [deciding what version to use](/ssl/reference/protocols/#decide-which-version-to-use). ::: ## Cipher suites diff --git a/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx b/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx index 974a6e745f7274..8f69749d9d62dc 100644 --- a/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx +++ b/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx @@ -35,14 +35,8 @@ For any given hostname, Cloudflare uses the following order to determine which c 4. **Certificate expiration**: If the hostname and certificate type are the same, Cloudflare deploys the certificate with the latest expiration date. -:::caution - - -When you [issue a custom hostname certificate](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) with wildcards enabled, any cipher suites or Minimum TLS settings applied to that hostname will only apply to the direct hostname. - -However, if you want to update the Minimum TLS settings for all wildcard hostnames, you can change the [zone-level Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/). - - +:::note +In this case, when the certificate with the closest expiration date is renewed, it will then become the one with the latest expiration date and get presented. ::: ***