From 7cd7694c08b62f24f84fadd34c97cd0886c32eb8 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 3 Feb 2025 13:52:58 -0600 Subject: [PATCH 1/8] Update API variables --- .../user-side-certificates/custom-certificate.mdx | 12 +++++------- .../user-side-certificates/index.mdx | 14 +++++++------- .../partials/cloudflare-one/upload-mtls-cert.mdx | 8 +++----- 3 files changed, 15 insertions(+), 19 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index f4f952b981bd942..19818ef6a2d454e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -79,12 +79,11 @@ openssl x509 -in .pem -text 1. Verify that the certificate is installed on your devices. 2. - 3. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/). + 3. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/). For example: ```bash {10} curl --request PATCH \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " \ + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "settings": { @@ -125,9 +124,8 @@ openssl x509 -in .pem -text 4. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/). ```bash curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate" \ - --header "X-Auth-Email: " \ - --header "X-Auth-Key: " + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` The response will return the certificate and its current deployment status. For example: ```json {6,12} diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 2a08b7a7dc0fca3..9fd14fde6b81913 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -50,8 +50,8 @@ Send a `POST` request to the [Create Zero Trust certificate](/api/resources/zero ```sh curl --request POST \ -https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates \ ---header "Authorization: Bearer " +https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` The API will respond with the ID and contents of the new certificate. @@ -87,8 +87,8 @@ Send a `POST` request to the [Activate a Zero Trust certificate](/api/resources/ ```sh curl --request POST \ -https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/certificates/{certificate_id}/activate \ ---header "Authorization: Bearer " +https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` @@ -112,13 +112,13 @@ Send a `PUT` request to the [Update Zero Trust account configuration](/api/resou ```sh curl --request PUT \ -'https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/configuration' \ +'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration' \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ --data '{ "settings": { "certificate": { - "id": "", + "id": "$CERTIFICATE_ID", "in_use": true } } diff --git a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx index 53f372bf29a906b..211c6a8b915d1bc 100644 --- a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx +++ b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx @@ -1,16 +1,14 @@ --- inputParameters: param1 - --- -import { Markdown } from "~/components" +import { Markdown } from "~/components"; Use the [Upload mTLS certificate endpoint](/api/resources/mtls_certificates/methods/create/) to upload the certificate and private key to Cloudflare. The certificate must be a root CA, formatted as a single string with `\n` replacing the line breaks. {props.one} ```bash -curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/mtls_certificates" \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ +curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/mtls_certificates" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "name": "example_ca_cert", From 036a05f772b1431ea76b0d68153dfd56b6632ea1 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 3 Feb 2025 15:22:39 -0600 Subject: [PATCH 2/8] Rearrange steps --- .../custom-certificate.mdx | 165 +++++++++--------- .../cloudflare-one/upload-mtls-cert.mdx | 2 +- 2 files changed, 85 insertions(+), 82 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index 19818ef6a2d454e..075d6a99ee04fd5 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -65,92 +65,95 @@ openssl x509 -in .pem -text - - 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. - 2. In **Certificates**, select **Manage**. - 3. Select **Upload certificate**. - 4. Enter the private key and SSL certificate you generated or select **Paste certificate from file** to upload them from a file. - 5. Select **Generate certificate**. + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. +2. In **Certificates**, select **Manage**. +3. Select **Upload certificate**. +4. Enter the private key and SSL certificate you generated or select **Paste certificate from file** to upload them from a file. +5. Select **Generate certificate**. You can now [use the generated custom root certificate](#use-a-custom-root-certificate) for inspection. - - - - 1. Verify that the certificate is installed on your devices. - 2. - 3. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/). For example: - ```bash {10} - curl --request PATCH \ - "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --header "Content-Type: application/json" \ - --data '{ - "settings": { - "custom_certificate": { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" - } - } - }' - ``` - The response will return the pending status of the certificate. For example: - ```json {13} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "settings": { - "antivirus": {}, - "block_page": {}, - "custom_certificate": - { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", - "binding_status": "pending_deployment", - "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" - }, - "tls_decrypt": {}, - "activity_log": {}, - "browser_isolation": {}, - "fips": {}, - }, - }, - "created_at": "2014-01-01T05:20:00.12345Z", - "updated_at": "2014-01-01T05:20:00.12345Z" - } - ``` - 4. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/). - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` - The response will return the certificate and its current deployment status. For example: - ```json {6,12} - { - "errors": [], - "messages": [], - "success": true, - "result": { - "binding_status": "active", - "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", - "created_at": "2014-01-01T05:20:00.12345Z", - "expires_on": "2014-01-01T05:20:00.12345Z", - "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", - "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "in_use": true, - "issuer_org": "Example Inc.", - "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", - "type": "gateway_managed", - "updated_at": "2014-01-01T05:20:00.12345Z", - "uploaded_on": "2014-01-01T05:20:00.12345Z" + + + +1. Verify that the certificate is installed on your devices. +2. +3. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/). + ```bash + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` + The response will return the certificate and its current deployment status. For example: + ```json {6,12} + { + "errors": [], + "messages": [], + "success": true, + "result": { + "binding_status": "active", + "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", + "created_at": "2014-01-01T05:20:00.12345Z", + "expires_on": "2014-01-01T05:20:00.12345Z", + "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "in_use": true, + "issuer_org": "Example Inc.", + "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", + "type": "gateway_managed", + "updated_at": "2014-01-01T05:20:00.12345Z", + "uploaded_on": "2014-01-01T05:20:00.12345Z" + } + } + ``` +4. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/). For example: + ```bash {10} + curl --request PATCH \ + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --header "Content-Type: application/json" \ + --data '{ + "settings": { + "custom_certificate": { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" } } - ``` - Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. - + }' + ``` + The response will return the pending status of the certificate. For example: + ```json {13} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "settings": { + "antivirus": {}, + "block_page": {}, + "custom_certificate": + { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", + "binding_status": "pending_deployment", + "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" + }, + "tls_decrypt": {}, + "activity_log": {}, + "browser_isolation": {}, + "fips": {}, + }, + }, + "created_at": "2014-01-01T05:20:00.12345Z", + "updated_at": "2014-01-01T05:20:00.12345Z" + } + ``` + +Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. + + + :::caution[Private key visibility] diff --git a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx index 211c6a8b915d1bc..7f62652d5f7b83b 100644 --- a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx +++ b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx @@ -29,7 +29,7 @@ The response will return a UUID for the certificate. For example: "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", "name": "example_ca_cert", "issuer": "O=Example Inc.,L=California,ST=San Francisco,C=US", - "signature": "SHA256WithRSA" + "signature": "SHA256WithRSA", ... } } From 31caaa1dede590cc7814395c993653c17c301b3a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 3 Feb 2025 15:33:34 -0600 Subject: [PATCH 3/8] Edit step 3 --- .../custom-certificate.mdx | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index 075d6a99ee04fd5..b8ac003bd90081b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -85,25 +85,25 @@ openssl x509 -in .pem -text "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` - The response will return the certificate and its current deployment status. For example: + The response will return the certificate and a `pending_deployment` binding status. For example: ```json {6,12} { "errors": [], "messages": [], "success": true, "result": { - "binding_status": "active", - "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", - "created_at": "2014-01-01T05:20:00.12345Z", - "expires_on": "2014-01-01T05:20:00.12345Z", - "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", + "in_use": false, "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "in_use": true, + "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", - "type": "gateway_managed", + "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", + "binding_status": "pending_deployment", + "type": "custom", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" + "created_at": "2014-01-01T05:20:00.12345Z", + "expires_on": "2014-01-01T05:20:00.12345Z", } } ``` From 9e58f40845a698503ba8de6745bcc7b508011b90 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 3 Feb 2025 16:15:47 -0600 Subject: [PATCH 4/8] Add optional step 4 --- .../custom-certificate.mdx | 182 +++++++++++------- 1 file changed, 110 insertions(+), 72 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index b8ac003bd90081b..55f9e72d5c0a929 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -77,78 +77,116 @@ openssl x509 -in .pem -text -1. Verify that the certificate is installed on your devices. -2. -3. Activate the certificate for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/). - ```bash - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` - The response will return the certificate and a `pending_deployment` binding status. For example: - ```json {6,12} - { - "errors": [], - "messages": [], - "success": true, - "result": { - "in_use": false, - "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", - "issuer_org": "Example Inc.", - "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", - "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", - "binding_status": "pending_deployment", - "type": "custom", - "updated_at": "2014-01-01T05:20:00.12345Z", - "uploaded_on": "2014-01-01T05:20:00.12345Z" - "created_at": "2014-01-01T05:20:00.12345Z", - "expires_on": "2014-01-01T05:20:00.12345Z", - } - } - ``` -4. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/). For example: - ```bash {10} - curl --request PATCH \ - "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --header "Content-Type: application/json" \ - --data '{ - "settings": { - "custom_certificate": { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" - } - } - }' - ``` - The response will return the pending status of the certificate. For example: - ```json {13} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "settings": { - "antivirus": {}, - "block_page": {}, - "custom_certificate": - { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", - "binding_status": "pending_deployment", - "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" - }, - "tls_decrypt": {}, - "activity_log": {}, - "browser_isolation": {}, - "fips": {}, - }, - }, - "created_at": "2014-01-01T05:20:00.12345Z", - "updated_at": "2014-01-01T05:20:00.12345Z" - } - ``` + +1. + +2. Set the certificate as available for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/). This will deploy the certificate across the Cloudflare global network. + + ```sh + curl --request POST \ + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` + + The response will return the certificate and a `pending_deployment` binding status. For example: + + ```json {12} + { + "errors": [], + "messages": [], + "success": true, + "result": { + "in_use": false, + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", + "issuer_org": "Example Inc.", + "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", + "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", + "binding_status": "pending_deployment", + "type": "custom", + "updated_at": "2014-01-01T05:20:00.12345Z", + "uploaded_on": "2014-01-01T05:20:00.12345Z", + "created_at": "2014-01-01T05:20:00.12345Z", + "expires_on": "2014-01-01T05:20:00.12345Z" + } + } + ``` + +3. Use the Get Zero Trust certificate details endpoint to verify the certificate's binding status is set to `available`. + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" + ``` + + ```json {12} + { + "errors": [], + "messages": [], + "success": true, + "result": { + "in_use": false, + "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", + "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", + "issuer_org": "Example Inc.", + "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", + "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", + "binding_status": "available", + "type": "custom", + "updated_at": "2014-01-01T05:20:00.12345Z", + "uploaded_on": "2014-01-01T05:20:00.12345Z", + "created_at": "2014-01-01T05:20:00.12345Z", + "expires_on": "2014-01-01T05:20:00.12345Z" + } + } + ``` + +4. (Optional) Verify the certificate is installed on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) or [manually](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/). + +5. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/). For example: + + ```sh {10} + curl --request PATCH \ + "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --header "Content-Type: application/json" \ + --data '{ + "settings": { + "custom_certificate": { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" + } + } + }' + ``` + + The response will return the pending status of the certificate. For example: + + ```json {13} + { + "success": true, + "errors": [], + "messages": [], + "result": { + "settings": { + "antivirus": {}, + "block_page": {}, + "custom_certificate": { + "enabled": true, + "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", + "binding_status": "pending_deployment", + "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" + }, + "tls_decrypt": {}, + "activity_log": {}, + "browser_isolation": {}, + "fips": {} + } + }, + "created_at": "2014-01-01T05:20:00.12345Z", + "updated_at": "2014-01-01T05:20:00.12345Z" + } + ``` Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. From 6d449451e503ca2f649824d4af6aca1b1f18fdb9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 3 Feb 2025 16:23:23 -0600 Subject: [PATCH 5/8] Edit step 5 --- .../custom-certificate.mdx | 38 +++---------------- 1 file changed, 5 insertions(+), 33 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index 55f9e72d5c0a929..9a3e469d229c550 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -143,7 +143,7 @@ openssl x509 -in .pem -text 4. (Optional) Verify the certificate is installed on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) or [manually](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/). -5. Deploy the certificate in Gateway using the certificate's UUID with the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/). For example: +5. Use the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/) to turn on the certificate for use in inspection. For example: ```sh {10} curl --request PATCH \ @@ -152,43 +152,15 @@ openssl x509 -in .pem -text --header "Content-Type: application/json" \ --data '{ "settings": { - "custom_certificate": { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60" + "certificate": { + "id": "$CERTIFICATE_ID", + "in_use": true } } }' ``` - The response will return the pending status of the certificate. For example: - - ```json {13} - { - "success": true, - "errors": [], - "messages": [], - "result": { - "settings": { - "antivirus": {}, - "block_page": {}, - "custom_certificate": { - "enabled": true, - "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60", - "binding_status": "pending_deployment", - "qs_pack_id": "50a78g31-a5b5-4k58d-a6ed-b0ac17da9k05" - }, - "tls_decrypt": {}, - "activity_log": {}, - "browser_isolation": {}, - "fips": {} - } - }, - "created_at": "2014-01-01T05:20:00.12345Z", - "updated_at": "2014-01-01T05:20:00.12345Z" - } - ``` - -Once `binding_status` changes to `active`, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account. +Once `in-use` is set to `true`, Gateway will sign your traffic using the custom root certificate and private key. If you turn off or deactivate the custom certificate, Gateway will revert to the next available Cloudflare certificate generated for your Zero Trust account. From efb2b1a3e07477415bcfcab3f8ce8989674d81e9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 3 Feb 2025 16:23:40 -0600 Subject: [PATCH 6/8] Edit partial --- src/content/partials/cloudflare-one/upload-mtls-cert.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx index 7f62652d5f7b83b..45c9572203fc343 100644 --- a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx +++ b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx @@ -6,7 +6,7 @@ import { Markdown } from "~/components"; Use the [Upload mTLS certificate endpoint](/api/resources/mtls_certificates/methods/create/) to upload the certificate and private key to Cloudflare. The certificate must be a root CA, formatted as a single string with `\n` replacing the line breaks. {props.one} -```bash +```sh curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/mtls_certificates" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ From 4db2b3bddd6d6c43f515055c2b8603223bfeb25f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 4 Feb 2025 17:29:13 -0500 Subject: [PATCH 7/8] Apply suggestions from code review Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com> --- .../user-side-certificates/custom-certificate.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index 9a3e469d229c550..7c0376c82e8f9c7 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -112,7 +112,7 @@ openssl x509 -in .pem -text } ``` -3. Use the Get Zero Trust certificate details endpoint to verify the certificate's binding status is set to `available`. +3. Use the [Get Zero Trust certificate details endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/get/) to verify the certificate's binding status is set to `available`. ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID \ @@ -145,7 +145,7 @@ openssl x509 -in .pem -text 5. Use the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/) to turn on the certificate for use in inspection. For example: - ```sh {10} + ```sh {9} curl --request PATCH \ "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ From 4e24c23a845fda6bae4f82e69007f5d2286f17c2 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 4 Feb 2025 16:32:29 -0600 Subject: [PATCH 8/8] Redact cert contents --- .../user-side-certificates/custom-certificate.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index 7c0376c82e8f9c7..f4f1d7666f3d4cc 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -98,7 +98,7 @@ openssl x509 -in .pem -text "result": { "in_use": false, "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", + "certificate": "-----BEGIN CERTIFICATE-----\\n ... \\n-----END CERTIFICATE-----\\n", "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", @@ -127,7 +127,7 @@ openssl x509 -in .pem -text "result": { "in_use": false, "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", - "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", + "certificate": "-----BEGIN CERTIFICATE-----\\n ... \\n-----END CERTIFICATE-----\\n", "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C",