From 88922db772150e0d5c7d1f3f36a393da524bebe5 Mon Sep 17 00:00:00 2001
From: Matt Bullock <mbullock@cloudflare.com>
Date: Tue, 4 Feb 2025 14:42:58 +0000
Subject: [PATCH 1/4] Update configure.mdx

changed to Cf-Cert-Issuer-Ski
---
 src/content/docs/api-shield/security/mtls/configure.mdx | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/content/docs/api-shield/security/mtls/configure.mdx b/src/content/docs/api-shield/security/mtls/configure.mdx
index fb0cd3b488ab132..242c169d261e345 100644
--- a/src/content/docs/api-shield/security/mtls/configure.mdx
+++ b/src/content/docs/api-shield/security/mtls/configure.mdx
@@ -41,22 +41,22 @@ The second expression uses the `http.request.uri.path` field, combined with the
 
 Because the [action](/ruleset-engine/rules-language/actions/) for your rule is _Block_, only requests that present a valid client certificate can access the specified hosts.
 
-For enhanced security, Cloudflare recommends that you validate the SHA-256 certificate hash alongside the verified certificate field. This ensures that only requests presenting a valid client certificate with a specific fingerprint are allowed.
+For enhanced security, Cloudflare recommends that you validate the Issuer Subject Key Identifer (SKI) hash alongside the verified certificate field. This ensures that only requests presenting a valid client certificate with a specific issuer are allowed.
 
 You can implement this by using an expression similar to the following:
 
 ```txt
-not (cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_fingerprint_sha256 eq "253E08C1AB67EB7630C61734D377D75D5DCCDE2F6E69986C221D66E848B64321")
+not (cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_issuer_ski eq "A5AC554235DBA6D963B9CDE0185CFAD6E3F55E9F")
 ```
 
 To obtain the SHA-256 fingerprint of a client certificate stored in the `mtls.crt` file, you can run the following OpenSSL command:
 
 ```sh
-openssl x509 -noout -fingerprint -sha256 -inform pem -in mtls.crt | cut -d "=" -f 2 | tr -d ':'
+openssl x509 -noout -ext authorityKeyIdentifier -in mtls.crt | tail -n1 | tr -d ':' | awk '{$1=$1};1'
 ```
 
 ```txt output
-253E08C1AB67EB7630C61734D377D75D5DCCDE2F6E69986C221D66E848B64321
+A5AC554235DBA6D963B9CDE0185CFAD6E3F55E9F
 ```
 
 ### Check for revoked certificates

From 94643fdf200846885b0df59fbb5904beb730d33c Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 4 Feb 2025 14:44:57 +0000
Subject: [PATCH 2/4] Fix typo

---
 src/content/docs/api-shield/security/mtls/configure.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/api-shield/security/mtls/configure.mdx b/src/content/docs/api-shield/security/mtls/configure.mdx
index 242c169d261e345..45f1ff8d44e6f31 100644
--- a/src/content/docs/api-shield/security/mtls/configure.mdx
+++ b/src/content/docs/api-shield/security/mtls/configure.mdx
@@ -41,7 +41,7 @@ The second expression uses the `http.request.uri.path` field, combined with the
 
 Because the [action](/ruleset-engine/rules-language/actions/) for your rule is _Block_, only requests that present a valid client certificate can access the specified hosts.
 
-For enhanced security, Cloudflare recommends that you validate the Issuer Subject Key Identifer (SKI) hash alongside the verified certificate field. This ensures that only requests presenting a valid client certificate with a specific issuer are allowed.
+For enhanced security, Cloudflare recommends that you validate the Issuer Subject Key Identifier (SKI) hash alongside the verified certificate field. This ensures that only requests presenting a valid client certificate with a specific issuer are allowed.
 
 You can implement this by using an expression similar to the following:
 

From e52922fc368405791455ab02cb3c430fa257bf94 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 4 Feb 2025 14:48:55 +0000
Subject: [PATCH 3/4] Apply suggestions from PCX review

---
 src/content/docs/api-shield/security/mtls/configure.mdx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/content/docs/api-shield/security/mtls/configure.mdx b/src/content/docs/api-shield/security/mtls/configure.mdx
index 45f1ff8d44e6f31..f261ab698fa04ec 100644
--- a/src/content/docs/api-shield/security/mtls/configure.mdx
+++ b/src/content/docs/api-shield/security/mtls/configure.mdx
@@ -41,7 +41,7 @@ The second expression uses the `http.request.uri.path` field, combined with the
 
 Because the [action](/ruleset-engine/rules-language/actions/) for your rule is _Block_, only requests that present a valid client certificate can access the specified hosts.
 
-For enhanced security, Cloudflare recommends that you validate the Issuer Subject Key Identifier (SKI) hash alongside the verified certificate field. This ensures that only requests presenting a valid client certificate with a specific issuer are allowed.
+For enhanced security, Cloudflare recommends that you validate the issuer Subject Key Identifier (SKI) hash alongside the verified certificate field. This ensures that only requests presenting a valid client certificate with a specific issuer are allowed.
 
 You can implement this by using an expression similar to the following:
 
@@ -49,7 +49,7 @@ You can implement this by using an expression similar to the following:
 not (cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_issuer_ski eq "A5AC554235DBA6D963B9CDE0185CFAD6E3F55E9F")
 ```
 
-To obtain the SHA-256 fingerprint of a client certificate stored in the `mtls.crt` file, you can run the following OpenSSL command:
+To obtain the issuer Subject Key Identifier (SKI) hash of a client certificate stored in the `mtls.crt` file, you can run the following OpenSSL command:
 
 ```sh
 openssl x509 -noout -ext authorityKeyIdentifier -in mtls.crt | tail -n1 | tr -d ':' | awk '{$1=$1};1'

From cea255300ccc2a2d6c38b823b4e857a22692bfb8 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 4 Feb 2025 15:04:43 +0000
Subject: [PATCH 4/4] Replacing awk with another character removal using tr

---
 src/content/docs/api-shield/security/mtls/configure.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/api-shield/security/mtls/configure.mdx b/src/content/docs/api-shield/security/mtls/configure.mdx
index f261ab698fa04ec..e876df40120e0f1 100644
--- a/src/content/docs/api-shield/security/mtls/configure.mdx
+++ b/src/content/docs/api-shield/security/mtls/configure.mdx
@@ -52,7 +52,7 @@ not (cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_issuer_ski eq
 To obtain the issuer Subject Key Identifier (SKI) hash of a client certificate stored in the `mtls.crt` file, you can run the following OpenSSL command:
 
 ```sh
-openssl x509 -noout -ext authorityKeyIdentifier -in mtls.crt | tail -n1 | tr -d ':' | awk '{$1=$1};1'
+openssl x509 -noout -ext authorityKeyIdentifier -in mtls.crt | tail -n1 | tr -d ': '
 ```
 
 ```txt output