From 35f4a810df25813846265142f461499e1dfd805a Mon Sep 17 00:00:00 2001 From: Nic <123965403+ngayerie@users.noreply.github.com> Date: Fri, 10 Jan 2025 13:13:52 +0100 Subject: [PATCH 1/2] [SSL] Update certificate-and-hostname-priority.mdx --- .../ssl/reference/certificate-and-hostname-priority.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx b/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx index 974a6e745f72749..e0dd5d626847aa0 100644 --- a/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx +++ b/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx @@ -35,6 +35,12 @@ For any given hostname, Cloudflare uses the following order to determine which c 4. **Certificate expiration**: If the hostname and certificate type are the same, Cloudflare deploys the certificate with the latest expiration date. +:::note + +In this case, when the certificate with the closest expiration date is renewed, it will then become the one with the latest expiration date and get presented! + +::: + :::caution From d68570e8c18e7f4e832bbdbcee42144cfefc451b Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 15 Jan 2025 16:11:31 +0000 Subject: [PATCH 2/2] Move warning to specific TLS settings page to avoid notes pile --- .../certificate-management/enforce-mtls.mdx | 9 ++++++++- .../certificate-and-hostname-priority.mdx | 14 +------------- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx index 71f7d9ac0ff4576..8affd8a79afbcfe 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx @@ -17,6 +17,13 @@ import { AvailableNotifications, Details, Render } from "~/components" [Cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/) are a combination of ciphers used to negotiate security settings during the [SSL/TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). As a SaaS provider, you can [specify configurations for cipher suites](#cipher-suites) on your zone as a whole and cipher suites on individual custom hostnames via the API. + +:::caution +When you [issue a custom hostname certificate](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) with wildcards enabled, any cipher suites or Minimum TLS settings applied to that hostname will only apply to the direct hostname. + +However, if you want to update the Minimum TLS settings for all wildcard hostnames, you can change Minimum TLS version at the [zone level](/ssl/edge-certificates/additional-options/minimum-tls/). +::: + ## Enable mTLS Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) with a few clicks. @@ -41,7 +48,7 @@ Currently, you cannot add mTLS policies for custom hostnames using [API Shield]( :::note -While TLS 1.3 is the most recent and secure version, it is not supported by some older devices. Refer to Cloudflare's recommendations when [deciding what version to use](/ssl/reference/protocols/#decide-which-version-to-use). +While TLS 1.3 is the most recent and secure version, it is not supported by some older devices. Refer to Cloudflare's recommendations when [deciding what version to use](/ssl/reference/protocols/#decide-which-version-to-use). ::: ## Cipher suites diff --git a/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx b/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx index e0dd5d626847aa0..8f69749d9d62dcb 100644 --- a/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx +++ b/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx @@ -36,19 +36,7 @@ For any given hostname, Cloudflare uses the following order to determine which c 4. **Certificate expiration**: If the hostname and certificate type are the same, Cloudflare deploys the certificate with the latest expiration date. :::note - -In this case, when the certificate with the closest expiration date is renewed, it will then become the one with the latest expiration date and get presented! - -::: - -:::caution - - -When you [issue a custom hostname certificate](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) with wildcards enabled, any cipher suites or Minimum TLS settings applied to that hostname will only apply to the direct hostname. - -However, if you want to update the Minimum TLS settings for all wildcard hostnames, you can change the [zone-level Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/). - - +In this case, when the certificate with the closest expiration date is renewed, it will then become the one with the latest expiration date and get presented. ::: ***