diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx index 9d946b80736da2d..d0d129c3a39e2ec 100644 --- a/src/content/docs/ssl/client-certificates/byo-ca.mdx +++ b/src/content/docs/ssl/client-certificates/byo-ca.mdx @@ -9,7 +9,7 @@ description: Cloudflare mTLS now supports client certificates that have not been Cloudflare mTLS. --- -import { Render, APIRequest, Tabs, TabItem } from "~/components"; +import { APIRequest, Render, TabItem, Tabs, DashButton } from "~/components"; This page explains how you can manage client certificates that have not been issued by Cloudflare CA. For a broader overview, refer to the [mTLS at Cloudflare learning path](/learning-paths/mtls/concepts/). @@ -85,11 +85,13 @@ If you wish to remove the association from the Cloudflare-managed certificate an -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and domain. -2. Go to **SSL/TLS** > **Client Certificates**. -3. On the **Hosts** section of the **Client Certificates** card, select **Edit**. -4. Select the cross next to the hostname you want to remove. The list of hostname associations will be updated. -5. Select **Save** to confirm. +1. In the Cloudflare dashboard, go to the **Client Certificates** page. + + + +2. On the **Hosts** section of the **Client Certificates** card, select **Edit**. +3. Select the cross next to the hostname you want to remove. The list of hostname associations will be updated. +4. Select **Save** to confirm. diff --git a/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx b/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx index 17d7ac6ff44f60d..46d1ce64268e124 100644 --- a/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx +++ b/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx @@ -6,13 +6,15 @@ sidebar: --- -import { Details } from "~/components"; +import { Details, DashButton } from "~/components"; To create a client certificate on the Cloudflare dashboard: -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone/domain. -2. Go to **SSL/TLS** > **Client Certificates**. -3. Select **Create Certificate** and fill in the required fields. You can choose one of the following options: +1. In the Cloudflare dashboard, go to the **Client Certificates** page. + + + +2. Select **Create Certificate** and fill in the required fields. You can choose one of the following options: - Generate a private key and Certificate Signing Request (CSR) with Cloudflare. - Use your own private key and CSR. This option allows you to also [label client certificates](/ssl/client-certificates/label-client-certificate/). @@ -31,9 +33,9 @@ To create a client certificate on the Cloudflare dashboard: Client certificates created on the dashboard are issued by a [Cloudflare-managed CA](/ssl/client-certificates/#how-it-works). If you need to use certificates issued by another CA, use the API to [bring your own CA](/ssl/client-certificates/byo-ca/) instead. ::: -4. Select a value for **Certificate Validity**, and choose **Create**. -5. Make sure to copy the certificate and private key as they will no longer be displayed after creation. -6. Select **OK** to confirm. +3. Select a value for **Certificate Validity**, and choose **Create**. +4. Make sure to copy the certificate and private key as they will no longer be displayed after creation. +5. Select **OK** to confirm. ## Next steps diff --git a/src/content/docs/ssl/client-certificates/enable-mtls.mdx b/src/content/docs/ssl/client-certificates/enable-mtls.mdx index ddee6e4700ea5ae..eab74d6fc3d220b 100644 --- a/src/content/docs/ssl/client-certificates/enable-mtls.mdx +++ b/src/content/docs/ssl/client-certificates/enable-mtls.mdx @@ -6,20 +6,22 @@ sidebar: --- -import { Render } from "~/components" +import { Render, DashButton } from "~/components" You can enable mutual Transport Layer Security (mTLS) for any hostname. To enable mTLS for a host from the Cloudflare dashboard: -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and domain. -2. Go to **SSL/TLS** > **Client Certificates**. -3. On the **Hosts** section of the **Client Certificates** card, select **Edit**. -4. Enter the name of a host in your current domain. +1. In the Cloudflare dashboard, go to the **Client Certificates** page. + + + +2. On the **Hosts** section of the **Client Certificates** card, select **Edit**. +3. Enter the name of a host in your current domain. :::note The domain (`example.com`) is automatically appended for you. This means that, if you want to enable mTLS for `abc.example.com`, you only need to type `abc`. ::: -5. Select **Save** to confirm. +4. Select **Save** to confirm. ## CAs in use diff --git a/src/content/docs/ssl/client-certificates/revoke-client-certificate.mdx b/src/content/docs/ssl/client-certificates/revoke-client-certificate.mdx index 86f28143bc1d85d..a284117ab0d6887 100644 --- a/src/content/docs/ssl/client-certificates/revoke-client-certificate.mdx +++ b/src/content/docs/ssl/client-certificates/revoke-client-certificate.mdx @@ -6,16 +6,20 @@ sidebar: --- +import { DashButton } from "~/components"; + You can revoke a client certificate you previously generated with the default [Cloudflare Managed CA](/ssl/client-certificates/). -It is not possible to permanently delete client certificates generated with the default Cloudflare Managed CA. Once revoked, these client certificates will still be listed in **SSL/TLS > Client Certificates**, and can be restored at any time. +It is not possible to permanently delete client certificates generated with the default Cloudflare Managed CA. Once revoked, these client certificates will still be listed on the [**Client Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates) page, and can be restored at any time. ## Steps -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and application. -2. Go to **SSL** > **Client Certificates**. -3. Select the certificate you want to revoke. -4. Select **Revoke** and confirm the operation. +1. In the Cloudflare dashboard, go to the **Client Certificates** page. + + + +2. Select the certificate you want to revoke. +3. Select **Revoke** and confirm the operation. :::caution[Important] diff --git a/src/content/docs/ssl/client-certificates/troubleshooting.mdx b/src/content/docs/ssl/client-certificates/troubleshooting.mdx index e44fd8e5ef67992..e0bbab28bedc561 100644 --- a/src/content/docs/ssl/client-certificates/troubleshooting.mdx +++ b/src/content/docs/ssl/client-certificates/troubleshooting.mdx @@ -9,6 +9,8 @@ head: content: Troubleshooting client certificates --- +import { DashButton } from "~/components"; + If your query returns an error even after configuring and embedding a client SSL certificate, check the following settings. --- @@ -33,9 +35,11 @@ Check whether [mTLS has been enabled](/ssl/client-certificates/enable-mtls/) for ## Review mTLS rules -To review mTLS rules: +To review mTLS rules, consider the steps below. For further guidance refer to [Custom rules](/waf/custom-rules/create-dashboard/). + +1. In the Cloudflare dashboard, go to the **Security rules** page. -1. Select **Security** > **WAF** > **Custom rules**. + 2. On a specific rule, select **Edit**. @@ -48,4 +52,4 @@ To review mTLS rules: (http.host in {"api.trackers.ninja"} and not cf.tls_client_auth.cert_verified) ``` -4. To edit the rule, either use the user interface or select **Edit expression**. +4. To edit the rule, either use the user interface or select **Edit expression**. \ No newline at end of file diff --git a/src/content/docs/ssl/edge-certificates/additional-options/always-use-https.mdx b/src/content/docs/ssl/edge-certificates/additional-options/always-use-https.mdx index 9c371bd128b6c6b..14636ead14f629c 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/always-use-https.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/always-use-https.mdx @@ -8,7 +8,7 @@ sidebar: order: 15 --- -import { FeatureTable, TabItem, Tabs } from "~/components"; +import { FeatureTable, TabItem, Tabs, DashButton } from "~/components"; Always Use HTTPS redirects all your visitor requests from `http` to `https`, for all subdomains and hosts in your application. @@ -36,10 +36,13 @@ If only some parts of your application can support HTTPS traffic, do not enable To enable **Always Use HTTPS** in the dashboard: -1. Log in to your [Cloudflare account](https://dash.cloudflare.com) and go to a specific domain. -2. In **SSL/TLS** > **Overview**, make sure that your [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/off/) **is not** set to **Off**. When you set your encryption mode to **Off**, the **Always Use HTTPS** option will not be visible in your Cloudflare dashboard. -3. Go to **SSL/TLS** > **Edge Certificates**. -4. For **Always Use HTTPS**, switch the toggle to **On**. +1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. + + + +2. Make sure that your [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/off/) is not set to **Off**. When you set your encryption mode to **Off**, the **Always Use HTTPS** option will not be visible in your Cloudflare dashboard. +3. Go to the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. +4. Turn on **Always Use HTTPS**. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/automatic-https-rewrites.mdx b/src/content/docs/ssl/edge-certificates/additional-options/automatic-https-rewrites.mdx index ceaa3505ba2957c..9c9ceb393ce1705 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/automatic-https-rewrites.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/automatic-https-rewrites.mdx @@ -5,7 +5,7 @@ sidebar: order: 14 --- -import { FeatureTable, Render, TabItem, Tabs } from "~/components"; +import { FeatureTable, Render, TabItem, Tabs, DashButton } from "~/components"; Automatic HTTPS Rewrites prevents end users from seeing "mixed content" errors by rewriting URLs from `http` to `https` for resources or links on your web site that can be served with HTTPS. @@ -31,9 +31,11 @@ For security reasons, this feature will run on URLs pointing to `localhost` if t To enable **Automatic HTTPS Rewrites** in the dashboard: -1. Log in to your [Cloudflare account](https://dash.cloudflare.com) and go to a specific domain. -2. Go to **SSL/TLS** > **Edge Certificates**. -3. For **Automatic HTTPS Rewrites**, switch the toggle to **On**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **Automatic HTTPS Rewrites**, switch the toggle to **On**. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/certificate-signing-requests.mdx b/src/content/docs/ssl/edge-certificates/additional-options/certificate-signing-requests.mdx index f549af09ed51ad7..ceddb22bfdb6ca0 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/certificate-signing-requests.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/certificate-signing-requests.mdx @@ -5,7 +5,7 @@ sidebar: order: 11 --- -import { FeatureTable, Render } from "~/components"; +import { FeatureTable, Render, DashButton } from "~/components"; @@ -24,19 +24,20 @@ You can create two types of CSRs: To create a CSR: -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and an application. -2. Go to **SSL/TLS** > **Edge Certificates**. -3. On **Certificate Signing Request (CSR)**, select **Generate**. -4. Choose a **Scope** (only [certain customers](#types-of-csrs) can choose **Account**). -5. Enter relevant information on the form and select **Create**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. On **Certificate Signing Request (CSR)**, select **Generate**. +3. Choose a **Scope** (only [certain customers](#types-of-csrs) can choose **Account**). +4. Enter relevant information on the form and select **Create**. To use a CSR: -1. Go to **SSL/TLS** > **Edge Certificates**. -2. On **Certificate Signing Request (CSR)**, select the record you just created. -3. Copy (or select **Click to copy**) the value for **Certificate Signing Request**. -4. Obtain a certificate from the Certificate Authority (CA) of your choice using your CSR. -5. When you [upload the custom certificate](/ssl/edge-certificates/custom-certificates/uploading/) to Cloudflare, select an **Encoding mode** of **Certificate Signing Request (CSR)** and enter the associated value. +1. On the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page, select the CSR record you just created under **Certificate Signing Request (CSR)**. +2. Copy (or select **Click to copy**) the value for **Certificate Signing Request**. +3. Obtain a certificate from the Certificate Authority (CA) of your choice using your CSR. +4. When you [upload the custom certificate](/ssl/edge-certificates/custom-certificates/uploading/) to Cloudflare, select an **Encoding mode** of **Certificate Signing Request (CSR)** and enter the associated value. :::note You will not see the option to adjust your **Encoding Mode** until after you have created a CSR associated with the specific zone or your account. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx b/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx index ea12b920d3b957b..86747ec3af66ae9 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx @@ -36,7 +36,7 @@ CT Monitoring alerts are triggered not only by Cloudflare processes - including ## Opt in and out -Alerts are turned off by default. If you want to receive alerts, go to [**SSL/TLS** > **Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates#ct-alerting-card) and enable **Certificate Transparency Monitoring**. If you are in a Business or Enterprise zone, select **Add Email**. +Alerts are turned off by default. If you want to receive alerts, go to the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates#ct-alerting-card) page and enable **Certificate Transparency Monitoring**. If you are in a Business or Enterprise zone, select **Add Email**. To stop receiving alerts, disable **Certificate Transparency Monitoring** or remove your email from the feature card. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx index 0f5ae7390f76755..7d00bab1a1c95a2 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx @@ -22,7 +22,7 @@ Note that: - Updating the cipher suites will result in certificates being redeployed. - Cipher suites are used in combination with other [SSL/TLS settings](/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings). - You cannot set specific TLS 1.3 ciphers. Instead, you can [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use all applicable [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/). -- Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed in [**SSL/TLS** > **Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates). +- Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. - It is not possible to configure minimum TLS version nor cipher suites for [Cloudflare Pages](/pages/) hostnames. - If you use Windows you might need to adjust the `curl` syntax, refer to [Making API calls on Windows](/fundamentals/api/how-to/make-api-calls/#making-api-calls-on-windows) for further guidance. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx index 1ed05465d9bf605..2fcda90e7b95fef 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx @@ -6,7 +6,7 @@ sidebar: label: Use the dashboard --- -import { Render, Details } from "~/components"; +import { Render, Details, DashButton } from "~/components"; @@ -28,20 +28,22 @@ For any of the modes, you should keep in mind the following configuration condit * Each cipher suite also supports a specific algorithm (RSA or ECDSA), so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate - listed in [**SSL/TLS** > **Edge - Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates). + listed on the [**Edge + Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. * It is not possible to configure minimum TLS version nor cipher suites for [Cloudflare Pages](/pages/) hostnames. ## Steps -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. -2. Go to **SSL/TLS** > **Edge Certificates**. -3. For the **Cipher suites** setting select **Configure**. -4. Choose a mode to select your cipher suites and select **Next**. -5. Select a predefined set of cipher suites or, if you opted for **Custom**, specify which cipher suites you want to allow. Make sure you are aware of how your selection will interact with Minimum TLS version, TLS 1.3, and the certificate algorithm (ECDSA or RSA). -6. Select **Save** to confirm. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For the **Cipher suites** setting select **Configure**. +3. Choose a mode to select your cipher suites and select **Next**. +4. Select a predefined set of cipher suites or, if you opted for **Custom**, specify which cipher suites you want to allow. Make sure you are aware of how your selection will interact with Minimum TLS version, TLS 1.3, and the certificate algorithm (ECDSA or RSA). +5. Select **Save** to confirm. :::note[Modern or PCI DSS] When used with [TLS 1.3](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13), Modern is the same as PCI DSS. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/http-strict-transport-security.mdx b/src/content/docs/ssl/edge-certificates/additional-options/http-strict-transport-security.mdx index 4685820263f7bc5..902b15757da4ea1 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/http-strict-transport-security.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/http-strict-transport-security.mdx @@ -5,7 +5,7 @@ sidebar: order: 4 --- -import { FeatureTable, TabItem, Tabs } from "~/components"; +import { FeatureTable, TabItem, Tabs, DashButton } from "~/components"; HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies. @@ -53,14 +53,15 @@ If you remove HTTPS before disabling HSTS or before waiting for the duration of To enable HSTS using the dashboard: -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Select your website. -3. Go to **SSL/TLS** > **Edge Certificates**. -4. For **HTTP Strict Transport Security (HSTS)**, select **Enable HSTS**. -5. Read the dialog and select **I understand**. -6. Select **Next**. -7. Configure the [HSTS settings](#configuration-settings). -8. Select **Save**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **HTTP Strict Transport Security (HSTS)**, select **Enable HSTS**. +3. Read the dialog and select **I understand**. +4. Select **Next**. +5. Configure the [HSTS settings](#configuration-settings). +6. Select **Save**. @@ -78,13 +79,14 @@ To enable HSTS on a specific subdomain only, configure a [subdomain setup](/dns/ To disable HSTS on your website: -1. Log in to the Cloudflare dashboard and select your account. -2. Select your website. -3. Go to **SSL/TLS** > **Edge Certificates**. -4. For **HTTP Strict Transport Security (HSTS)**, select **Enable HSTS**. -5. Set the **Max Age Header** to **0 (Disable)**. -6. If you previously enabled the **No-Sniff** header and want to remove it, set it to **Off**. -7. Select **Save**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **HTTP Strict Transport Security (HSTS)**, select **Enable HSTS**. +3. Set the **Max Age Header** to **0 (Disable)**. +4. If you previously enabled the **No-Sniff** header and want to remove it, set it to **Off**. +5. Select **Save**. ## Configuration settings diff --git a/src/content/docs/ssl/edge-certificates/additional-options/index.mdx b/src/content/docs/ssl/edge-certificates/additional-options/index.mdx index 9eb81162b29a1f3..c1693d4ab65c533 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/index.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/index.mdx @@ -10,6 +10,6 @@ sidebar: import { DirectoryListing } from "~/components" -Once you set up SSL/TLS on your application, you can adjust the following settings in **SSL/TLS** > **Edge Certificates**: +Once you set up SSL/TLS on your application, you can adjust the following settings on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page: diff --git a/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx b/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx index 513c0d02d0000cc..d70ce41ab8ccf90 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx @@ -5,7 +5,7 @@ sidebar: order: 13 --- -import { FeatureTable, TabItem, Tabs, APIRequest, Render } from "~/components"; +import { FeatureTable, TabItem, Tabs, APIRequest, Render, DashButton } from "~/components"; Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer. @@ -43,10 +43,11 @@ To manage the TLS version applied to your whole zone when proxied through Cloudf -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account. -2. Select your website. -3. Go to **SSL/TLS** > **Edge Certificates**. -4. For **Minimum TLS Version**, select an option. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **Minimum TLS Version**, select an option. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/opportunistic-encryption.mdx b/src/content/docs/ssl/edge-certificates/additional-options/opportunistic-encryption.mdx index d972fb534177e80..71f3b4d7949082a 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/opportunistic-encryption.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/opportunistic-encryption.mdx @@ -3,7 +3,7 @@ pcx_content_type: concept title: Opportunistic Encryption --- -import { FeatureTable, Render, TabItem, Tabs } from "~/components"; +import { FeatureTable, Render, TabItem, Tabs, DashButton } from "~/components"; Opportunistic Encryption allows browsers to access HTTP URIs over an encrypted TLS channel. It's not a substitute for HTTPS, but provides additional security for otherwise vulnerable requests. @@ -21,9 +21,11 @@ You do not need to configure your origin web server to support Opportunistic Enc To enable Opportunistic Encryption in the dashboard: -1. Log in to your [Cloudflare account](https://dash.cloudflare.com) and go to a specific domain. -2. Go to **SSL/TLS** > **Edge Certificates**. -3. For **Opportunistic Encryption**, switch the toggle to **On**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **Opportunistic Encryption**, switch the toggle to **On**. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/tls-13.mdx b/src/content/docs/ssl/edge-certificates/additional-options/tls-13.mdx index b66eccbc35b1320..ffc906b349377a9 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/tls-13.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/tls-13.mdx @@ -5,7 +5,7 @@ sidebar: order: 12 --- -import { Details, FeatureTable, Render, TabItem, Tabs } from "~/components"; +import { Details, FeatureTable, Render, TabItem, Tabs, DashButton } from "~/components"; TLS 1.3 enables the latest version of the TLS protocol (when supported) for improved security and performance. @@ -27,9 +27,11 @@ TLS 1.3 can be activated in the Cloudflare dashboard or through the API: To enable TLS 1.3 in the dashboard: -1. Log in to your [Cloudflare account](https://dash.cloudflare.com) and go to a specific domain. -2. Go to **SSL/TLS** > **Edge Certificates**. -3. For **TLS 1.3**, switch the toggle to **On**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **TLS 1.3**, switch the toggle to **On**. diff --git a/src/content/docs/ssl/edge-certificates/additional-options/total-tls/enable.mdx b/src/content/docs/ssl/edge-certificates/additional-options/total-tls/enable.mdx index fe652031dd2d3f6..7e2a6bbefa418b2 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/total-tls/enable.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/total-tls/enable.mdx @@ -8,7 +8,7 @@ head: content: Enable Total TLS --- -import { Render, TabItem, Tabs } from "~/components"; +import { Render, TabItem, Tabs, DashButton } from "~/components"; To enable [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) - which issues individual certificates for your proxied hostnames - follow these instructions: @@ -16,10 +16,11 @@ To enable [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) - wh To enable Total TLS in the dashboard: -1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). -2. Choose your account and domain. -3. Go to **SSL/TLS** > **Edge Certificates**. -4. For **Total TLS**, switch the toggle to **On** and - if desired - choose an issuing **Certificate Authority**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **Total TLS**, switch the toggle to **On** and - if desired - choose an issuing **Certificate Authority**. diff --git a/src/content/docs/ssl/edge-certificates/advanced-certificate-manager/manage-certificates.mdx b/src/content/docs/ssl/edge-certificates/advanced-certificate-manager/manage-certificates.mdx index 0ba4fdaa279e087..f53389ec46deb16 100644 --- a/src/content/docs/ssl/edge-certificates/advanced-certificate-manager/manage-certificates.mdx +++ b/src/content/docs/ssl/edge-certificates/advanced-certificate-manager/manage-certificates.mdx @@ -8,29 +8,31 @@ description: Learn how to create, delete and perform other operations to manage your Cloudflare Advanced SSL certificates. --- -import { AvailableNotifications, Render, TabItem, Tabs } from "~/components"; +import { AvailableNotifications, Render, TabItem, Tabs, DashButton } from "~/components"; ## Create a certificate If you are using an existing [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/), Cloudflare will automatically replace this certificate once you finish ordering your advanced certificate. -Once you order a certificate, you can review the [certificate's status](/ssl/reference/certificate-statuses/) in the dashboard at **SSL/TLS** > **Edge Certificates** or via the API with a [GET request](/api/resources/ssl/subresources/certificate_packs/methods/list/). +Once you order a certificate, you can review the [certificate's status](/ssl/reference/certificate-statuses/) on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page or via the API with a [GET request](/api/resources/ssl/subresources/certificate_packs/methods/list/). To create a new advanced certificate in the dashboard: -1. Log in to your Cloudflare account and select a domain. -2. Go to **SSL/TLS** > **Edge Certificates**. -3. Select **Order Advanced Certificate**. -4. If Cloudflare does not have your billing information, you will need to enter that information. -5. Enter the following information: +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. Select **Order Advanced Certificate**. +3. If Cloudflare does not have your billing information, you will need to enter that information. +4. Enter the following information: - Certificate authority - Certificate hostnames - For hostnames longer than 64 characters, use the API. - Validation method - Certificate validity period -6. Select **Save**. +5. Select **Save**. @@ -54,10 +56,12 @@ If you need certificates for hostnames longer than 64 characters ([RFC 5280](htt To delete an advanced certificate in the dashboard: -1. Log in to your Cloudflare account and select a domain. -2. Select **SSL/TLS** > **Edge Certificates**. -3. Select a certificate. -4. Select **Delete Certificate**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. Select a certificate. +3. Select **Delete Certificate**. diff --git a/src/content/docs/ssl/edge-certificates/caa-records.mdx b/src/content/docs/ssl/edge-certificates/caa-records.mdx index b15b4f2f71b2a65..0fe25a81d0c0960 100644 --- a/src/content/docs/ssl/edge-certificates/caa-records.mdx +++ b/src/content/docs/ssl/edge-certificates/caa-records.mdx @@ -5,7 +5,7 @@ sidebar: order: 6 --- -import { Render, TabItem, Tabs } from "~/components"; +import { Render, TabItem, Tabs, DashButton } from "~/components";
@@ -38,15 +38,17 @@ Create a CAA record for each Certificate Authority (CA) that you plan to use for To add a CAA record in the dashboard, -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and application. -2. Go to **DNS** > **Records**. -3. Select **Add record**. -4. For **Type**, select **CAA**. -5. For **Name**, type your domain. -6. Choose a **Tag**, which specifies the behavior associated with the record. -7. For **CA domain name**, enter the CA name. -8. Select **Save**. -9. Repeat for each CA associated with your domain. +1. In the Cloudflare dashboard, go to the **DNS Records** page. + + + +2. Select **Add record**. +3. For **Type**, select **CAA**. +4. For **Name**, type your domain. +5. Choose a **Tag**, which specifies the behavior associated with the record. +6. For **CA domain name**, enter the CA name. +7. Select **Save**. +8. Repeat for each CA associated with your domain. diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx index 3d7ff3a57d81b8c..d6749aec5bdb7a4 100644 --- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx +++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx @@ -45,7 +45,7 @@ As explained in the [announcement blog post](https://blog.cloudflare.com/introdu To set up Delegated DCV: 1. Order an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/) for your zone, choosing `TXT` as the **Certificate validation method**. -2. On **SSL/TLS** > **Edge Certificates**, go to **DCV Delegation for Partial Zones**. +2. On the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page, go to **DCV Delegation for Partial Zones**. 3. Copy the Cloudflare validation URL. 4. At your authoritative DNS provider, create `CNAME` record(s) considering the following: diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/index.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/index.mdx index 4665d73f55b5ffc..d7d19bee1049582 100644 --- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/index.mdx +++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/index.mdx @@ -30,7 +30,7 @@ For guidance on when you need to perform DCV, refer to [Domain Control Validatio ## Verify DCV status -To verify the [DCV status](/ssl/reference/certificate-statuses/) of a certificate, either monitor the certificate's status in the dashboard at **SSL/TLS** > **Edge Certificates** or use the [Verification Status endpoint](/api/resources/ssl/subresources/verification/methods/get/). +To verify the [DCV status](/ssl/reference/certificate-statuses/) of a certificate, either monitor the certificate's status on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page or use the [Verification Status endpoint](/api/resources/ssl/subresources/verification/methods/get/). A status of `active` means that the certificate has been deployed to Cloudflare’s global network and will be served as soon as HTTP traffic is proxied to Cloudflare. diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/renewing.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/renewing.mdx index 4fc48a0c4a35d1a..a44358c6972492f 100644 --- a/src/content/docs/ssl/edge-certificates/custom-certificates/renewing.mdx +++ b/src/content/docs/ssl/edge-certificates/custom-certificates/renewing.mdx @@ -9,7 +9,7 @@ description: Learn how renewal and expiration work when using Cloudflare Custom --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip, DashButton } from "~/components" ## Renew custom certificates @@ -44,6 +44,9 @@ For example if you have a custom certificate made of an ECSDA and a RSA certific If you no longer want to use your custom certificate but still want your website or application to be covered with SSL/TLS, you can do the following: -1. Go to [**SSL/TLS** > **Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates). +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + 2. Make sure there is already an active [universal](/ssl/edge-certificates/universal-ssl/) or [advanced](/ssl/edge-certificates/advanced-certificate-manager/) certificate covering the same hostnames. 3. Delete your custom certificate. diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/troubleshooting.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/troubleshooting.mdx index 4d9110dbb7836e2..3651d655259d93d 100644 --- a/src/content/docs/ssl/edge-certificates/custom-certificates/troubleshooting.mdx +++ b/src/content/docs/ssl/edge-certificates/custom-certificates/troubleshooting.mdx @@ -99,7 +99,7 @@ If you try to upload a certificate **type** but have already reached your quota, **Solution** -First, check your custom certificate entitlements at **SSL/TLS** > **Edge Certificates**. +First, check your custom certificate entitlements on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. Then, when actually uploading or editing the certificate, make sure you select the appropriate option for **Legacy Client Support**. diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx index c6481d6840945b1..772260fc2823e44 100644 --- a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx +++ b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx @@ -51,9 +51,9 @@ When using `compatible` or `modern` [bundling](/ssl/edge-certificates/custom-cer To upload a custom SSL certificate in the dashboard: -1. In the Cloudflare dashboard, go to the SSL/TLS **Edge Certificates** page. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. - + 2. In **Edge Certificates**, select **Upload Custom SSL Certificate**. @@ -165,7 +165,7 @@ For more guidance, refer to [Create a CAA record](/ssl/edge-certificates/caa-rec ## Update an existing custom certificate -Before you update an existing custom certificate, you might want to consider having active [universal](/ssl/edge-certificates/universal-ssl/) or [advanced](/ssl/edge-certificates/advanced-certificate-manager/) certificates as fallback options. Go to [**SSL/TLS** > **Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) to check a list of hostnames and status of the edge certificates in your zone. +Before you update an existing custom certificate, you might want to consider having active [universal](/ssl/edge-certificates/universal-ssl/) or [advanced](/ssl/edge-certificates/advanced-certificate-manager/) certificates as fallback options. Go to the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page to check a list of hostnames and status of the edge certificates in your zone. If you are on an Enterprise plan and want to update a custom (modern) certificate, also consider requesting access to [Staging environment (Beta)](/ssl/edge-certificates/staging-environment/). @@ -175,9 +175,9 @@ Replacing a custom certificate following these steps does not lead to any downti To update a certificate in the dashboard: -1. In the Cloudflare dashboard, go to the SSL/TLS **Edge Certificates** page. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. - + 2. In **Edge Certificates**, locate a custom certificate and select it to expand. @@ -201,9 +201,9 @@ To update the **Private Key Restriction** setting of a certificate, delete and r ## Delete a custom certificate -1. In the Cloudflare dashboard, go to the SSL/TLS **Edge Certificates** page. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. - + 2. In **Edge Certificates**, locate a custom certificate and select it to expand. 3. Select the cross button. diff --git a/src/content/docs/ssl/edge-certificates/ech.mdx b/src/content/docs/ssl/edge-certificates/ech.mdx index 8551972e56b2e6d..9d2619308d78040 100644 --- a/src/content/docs/ssl/edge-certificates/ech.mdx +++ b/src/content/docs/ssl/edge-certificates/ech.mdx @@ -8,6 +8,8 @@ sidebar: --- +import { DashButton } from "~/components"; + ECH stands for [Encrypted Client Hello](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/16/). It is a protocol extension in the context of Transport Layer Security (TLS). ECH encrypts part of the handshake and masks the Server Name Indication (SNI) that is used to negotiate a TLS session. This means that whenever a user visits a website on Cloudflare that has ECH enabled, intermediaries will be able to see that you are visiting a website on Cloudflare, but they will not be able to determine which one. ## What ECH does @@ -47,10 +49,11 @@ For more details about ECH protocol technology, refer to our [introductory blog] ECH is enabled by default on Free zones. Other plans can turn it on or off following the steps below. -1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). -2. Select your account and zone. -3. Go to **SSL** > **Edge Certificates**. -4. For **Encrypted ClientHello (ECH)**, change the setting to **Enabled**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **Encrypted ClientHello (ECH)**, change the setting to **Enabled**. ## Enterprise network applicability diff --git a/src/content/docs/ssl/edge-certificates/staging-environment.mdx b/src/content/docs/ssl/edge-certificates/staging-environment.mdx index 43b2221cfc010d1..ff9314d1741b87a 100644 --- a/src/content/docs/ssl/edge-certificates/staging-environment.mdx +++ b/src/content/docs/ssl/edge-certificates/staging-environment.mdx @@ -1,12 +1,14 @@ --- pcx_content_type: how-to -title: Staging environment (Beta) +title: Staging environment sidebar: order: 8 + badge: + text: Beta --- -import { FeatureTable } from "~/components" +import { FeatureTable, DashButton } from "~/components" Use your certificate staging environment to test new custom (modern) certificates before pushing them to your production environment. This process helps you solve potential certificate problems **before** there's an incident, such as when: @@ -26,14 +28,17 @@ Use your certificate staging environment to test new custom (modern) certificate To upload custom (modern) certificates to your staging environment: -1. Go to **SSL/TLS** > **Staging Certificates**. +1. In the Cloudflare dashboard, go to the **Staging Certificates** page. + + + 2. Select **Upload Custom Staging Certificate**. 3. Upload your custom (modern) certificate ([detailed instructions](/ssl/edge-certificates/custom-certificates/uploading/)). 4. Your certificate will appear in the dashboard with a status of **Staging Deployment**. If you refresh the page, its status should go to **Staging Active**. ### 2. Test certificate -Test your custom (modern) certificate by sending `curl` requests to the IP addresses listed in the dashboard card at **SSL/TLS** > **Staging Certificates**: +Test your custom (modern) certificate by sending `curl` requests to the IP addresses listed on the [**Staging Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/staging-certificates) page: ```txt curl --resolve :: https:// -iv @@ -49,7 +54,10 @@ You should confirm whether: Assuming there are no issues, push your custom (modern) certificate to your production environment: -1. Go to **SSL/TLS** > **Staging Certificates**. +1. In the Cloudflare dashboard, go to the **Staging Certificates** page. + + + 2. Select a custom certificate. 3. Select **Push to Production**. @@ -59,7 +67,10 @@ If there were issues with your certificate, you can keep it in your staging envi If you roll out a custom (modern) certificate to production and encounter issues, you can deactivate that certificate to delete the certificate from the edge and then push the certificate back to your staging environment for additional testing: -1. Go to **SSL/TLS** > **Edge Certificates**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + 2. Select a custom certificate. 3. Select **Deactivate**. 4. Select **Push to Staging**. diff --git a/src/content/docs/ssl/edge-certificates/universal-ssl/disable-universal-ssl.mdx b/src/content/docs/ssl/edge-certificates/universal-ssl/disable-universal-ssl.mdx index b19640e53972d6e..9d6bc43b5ff5533 100644 --- a/src/content/docs/ssl/edge-certificates/universal-ssl/disable-universal-ssl.mdx +++ b/src/content/docs/ssl/edge-certificates/universal-ssl/disable-universal-ssl.mdx @@ -5,7 +5,7 @@ sidebar: order: 3 --- -import { TabItem, Tabs } from "~/components"; +import { TabItem, Tabs, DashButton } from "~/components"; Some customers may need to manage their own SSL certificates or rely on specific Certificate Authorities. @@ -36,12 +36,13 @@ Before you disable Universal SSL/TLS, make sure you have [uploaded a custom cert To disable Universal SSL in the dashboard: -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. -2. Select your domain. -3. Go to **SSL/TLS** > **Edge Certificates**. -4. For **Disable Universal SSL**, select **Disable Universal SSL**. -5. Read the warnings in the **Acknowledgement**. -6. Select **I Understand** and select **Confirm**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **Disable Universal SSL**, select **Disable Universal SSL**. +3. Read the warnings in the **Acknowledgement**. +4. Select **I Understand** and select **Confirm**. @@ -55,10 +56,11 @@ To disable Universal SSL with the Cloudflare API, send a [`PATCH`](/api/resource To re-enable Universal SSL in the dashboard: -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account. -2. Select your domain. -3. Go to **SSL/TLS** > **Edge Certificates**. -4. For **Disable Universal SSL**, select **Enable Universal SSL**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. For **Disable Universal SSL**, select **Enable Universal SSL**. diff --git a/src/content/docs/ssl/edge-certificates/universal-ssl/enable-universal-ssl.mdx b/src/content/docs/ssl/edge-certificates/universal-ssl/enable-universal-ssl.mdx index e9de55126a8ad1b..530dd2eaeffba7f 100644 --- a/src/content/docs/ssl/edge-certificates/universal-ssl/enable-universal-ssl.mdx +++ b/src/content/docs/ssl/edge-certificates/universal-ssl/enable-universal-ssl.mdx @@ -44,7 +44,7 @@ Unless you cover and validate multiple subdomains with an [advanced certificate] ## Verify your certificate is active -Once you enable Universal SSL, you can review the [activation status](/ssl/reference/certificate-statuses/) in the dashboard at **SSL/TLS** > **Edge Certificates** or via the API with a [GET request](/api/resources/ssl/subresources/certificate_packs/methods/list/). +Once you enable Universal SSL, you can review the [activation status](/ssl/reference/certificate-statuses/) on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page or via the API with a [GET request](/api/resources/ssl/subresources/certificate_packs/methods/list/). --- diff --git a/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx b/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx index 9a74d03d9c81e36..4d6c44511f7ad46 100644 --- a/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx +++ b/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx @@ -8,7 +8,7 @@ head: content: Public DNS setup - Keyless SSL --- -import { Render, TabItem, Tabs } from "~/components"; +import { Render, TabItem, Tabs, DashButton } from "~/components"; If you cannot use a [Cloudflare Tunnel setup](/ssl/keyless-ssl/configuration/cloudflare-tunnel/), you can also create a public DNS record for your key server. @@ -42,10 +42,12 @@ As a security measure, you should hide the hostname of your key server. To create a Keyless certificate in the dashboard: -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone. -2. Go to **SSL/TLS** > **Edge Certificates**. -3. Select **Upload Keyless SSL Certificate**. -4. Fill in the upload modal with the certificate and other details and select **Add**. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. Select **Upload Keyless SSL Certificate**. +3. Fill in the upload modal with the certificate and other details and select **Add**. | Label | Description | Example Values | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | diff --git a/src/content/docs/ssl/origin-configuration/custom-origin-trust-store.mdx b/src/content/docs/ssl/origin-configuration/custom-origin-trust-store.mdx index 45424c209c95ea8..b9a5ac165ef4506 100644 --- a/src/content/docs/ssl/origin-configuration/custom-origin-trust-store.mdx +++ b/src/content/docs/ssl/origin-configuration/custom-origin-trust-store.mdx @@ -23,7 +23,7 @@ To get access to Custom Origin Trust Store, [Advanced Certificate Manager](/ssl/ ## How to -To manage origin trust stores in the dashboard, go to **SSL/TLS** > **Origin Server** and use the **Custom Origin Trust Store** card. +To manage origin trust stores in the dashboard, go to the [**Origin Server**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin) page and use the **Custom Origin Trust Store** card. To manage origin trust stores using the API, refer to the [API commands](#api-commands). diff --git a/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx b/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx index 41f49d6b1b44b67..80ba5a9238fda06 100644 --- a/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx +++ b/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx @@ -8,7 +8,7 @@ head: [] description: Encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. --- -import { FeatureTable, GlossaryTooltip, Render } from "~/components"; +import { Details, FeatureTable, Render, TabItem, Tabs, DashButton, GlossaryTooltip } from "~/components"; If your origin only receives traffic from proxied records, use Cloudflare origin CA certificates to encrypt traffic between Cloudflare and your origin web server and reduce bandwidth consumption. Once deployed, these certificates are compatible with [Strict SSL mode](/ssl/origin-configuration/ssl-modes/full-strict/). @@ -31,24 +31,25 @@ Using Cloudflare origin CA certificates does not prevent you from using [delegat To create an Origin CA certificate in the dashboard: -1. Log in to the Cloudflare dashboard and select an account. -2. Choose a domain. -3. Go to **SSL/TLS** > **Origin Server**. -4. Select **Create Certificate**. +1. In the Cloudflare dashboard, go to the **Origin Server** page. + + + +2. Select **Create Certificate**. :::note[API Access required] Users who do not have [**API Access**](https://dash.cloudflare.com/?to=/:account/members) will receive an error while trying to perform this action. Refer to [Troubleshooting](/ssl/origin-configuration/origin-ca/troubleshooting/#this-zone-is-either-not-part-of-your-account-or-you-do-not-have-access-to-it) for guidance. ::: -5. Choose either: +3. Choose either: - **Generate private key and CSR with Cloudflare**: Private key type can be RSA or ECC. - **Use my private key and CSR**: Paste the Certificate Signing Request into the text field. -6. List the [hostnames (including wildcards)](#hostname-and-wildcard-coverage) the certificate should protect with SSL encryption. The zone apex and first level wildcard hostname are included by default. -7. Choose a **Certificate Validity** period. -8. Select **Create**. -9. Choose the **Key Format**: +4. List the [hostnames (including wildcards)](#hostname-and-wildcard-coverage) the certificate should protect with SSL encryption. The zone apex and first level wildcard hostname are included by default. +5. Choose a **Certificate Validity** period. +6. Select **Create**. +7. Choose the **Key Format**: - Servers using OpenSSL — like Apache and NGINX — generally expect PEM files (Base64-encoded ASCII), but also work with binary DER files. - Servers using Windows and Apache Tomcat require PKCS#7 (a `.p7b` file). -10. Copy the signed **Origin Certificate** and **Private Key** into separate files. For security reasons, you cannot see the **Private Key** after you exit this screen. -11. Select **OK**. +8. Copy the signed **Origin Certificate** and **Private Key** into separate files. For security reasons, you cannot see the **Private Key** after you exit this screen. +9. Select **OK**. :::note For details about working with certificates programmatically, refer to [API calls](#api-calls). @@ -103,11 +104,12 @@ To prevent visitors from seeing warnings about an insecure certificate, you may To revoke a certificate: -1. Log in to the Cloudflare dashboard and select an account. -2. Choose a domain. -3. Go to **SSL/TLS** > **Origin Server**. -4. In **Origin Certificates**, choose a certificate. -5. Select **Revoke**. +1. In the Cloudflare dashboard, go to the **Origin Server** page. + + + +2. In **Origin Certificates**, choose a certificate. +3. Select **Revoke**. ## Additional details diff --git a/src/content/docs/ssl/reference/certificate-statuses.mdx b/src/content/docs/ssl/reference/certificate-statuses.mdx index de5e2307104d648..0eb8e39b79dc544 100644 --- a/src/content/docs/ssl/reference/certificate-statuses.mdx +++ b/src/content/docs/ssl/reference/certificate-statuses.mdx @@ -59,13 +59,13 @@ When you use [client certificates](/ssl/client-certificates/), those client cert ### SSL/TLS -Monitor a certificate's status in the dashboard at **SSL/TLS** > **Edge Certificates** or by using the [Get Certificate Pack endpoint](/api/resources/ssl/subresources/certificate_packs/methods/get/). +Monitor a certificate's status on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page or by using the [Get Certificate Pack endpoint](/api/resources/ssl/subresources/certificate_packs/methods/get/). For more details on certificate validation, refer to [Domain Control Validation](/ssl/edge-certificates/changing-dcv-method/). ### SSL for SaaS -Monitor a certificate's status in the dashboard at **SSL/TLS** > **Custom Hostnames** or by using the [Custom Hostname Details endpoint](/api/resources/custom_hostnames/methods/get/). +Monitor a certificate's status on the [**Custom Hostnames**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/custom-hostnames) page or by using the [Custom Hostname Details endpoint](/api/resources/custom_hostnames/methods/get/). For more details on certificate validation, refer to [Issue and validate certificates](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/). diff --git a/src/content/docs/ssl/reference/compliance-and-vulnerabilities.mdx b/src/content/docs/ssl/reference/compliance-and-vulnerabilities.mdx index 5cf1b3efbdf4271..6b9147dd9219dcd 100644 --- a/src/content/docs/ssl/reference/compliance-and-vulnerabilities.mdx +++ b/src/content/docs/ssl/reference/compliance-and-vulnerabilities.mdx @@ -5,6 +5,8 @@ title: PCI compliance and vulnerabilities mitigation --- +import { DashButton } from "~/components"; + Both [TLS 1.0 and TLS 1.1](/ssl/reference/protocols/) are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic. PCI standards recommend using TLS 1.2 or higher. Refer to [Compliance standards](/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/) for a list of recommended cipher suites. @@ -15,13 +17,11 @@ Cloudflare also [implements mitigations against known vulnerabilities](#known-vu To configure your Cloudflare domain to only allow connections using TLS 1.2 or newer protocols: -1. Log in to the Cloudflare dashboard. - -2. Select your Cloudflare account and website or application. +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. -3. Go to **SSL/TLS** > **Edge Certificates**. + -4. For **Minimum TLS Version**, select **TLS 1.2** or higher. +2. For **Minimum TLS Version**, select **TLS 1.2** or higher. Refer to [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) for more information about this setting and other setup options. diff --git a/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx b/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx index 7727a18b6bf015e..5778573135e6342 100644 --- a/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx +++ b/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx @@ -8,7 +8,7 @@ head: [] description: Learn how to troubleshoot various SSL/TLS errors with Cloudflare. --- -import { GlossaryTooltip } from "~/components"; +import { GlossaryTooltip, DashButton } from "~/components"; ## Let's Encrypt chain update @@ -116,7 +116,10 @@ The HSTS headers (`Strict-Transport-Security` and `X-Content-Type-Options`) in t You may have configured [Response Header Transform Rules](/rules/transform/response-header-modification) that are overriding the HSTS header values defined in the **SSL/TLS** app. -1. Go to **Rules** > **Overview**. +1. In the Cloudflare dashboard, go to the Rules **Overview** page. + + + 2. Under **Response Header Transform Rules**, search for a rule setting the value of one of the HSTS headers (`Strict-Transport-Security` or `X-Content-Type-Options`). 3. Delete (or edit) the rule so that the HSTS configuration settings defined in the **SSL/TLS** app are applied. 4. Repeat this procedure for the other HSTS header. diff --git a/src/content/docs/ssl/troubleshooting/too-many-redirects.mdx b/src/content/docs/ssl/troubleshooting/too-many-redirects.mdx index 3259cc5cecf1840..fc3125a409c9c2a 100644 --- a/src/content/docs/ssl/troubleshooting/too-many-redirects.mdx +++ b/src/content/docs/ssl/troubleshooting/too-many-redirects.mdx @@ -28,7 +28,7 @@ end This error is commonly caused by: - A misconfiguration of your [SSL/TLS Encryption mode](#encryption-mode-misconfigurations). -- Various settings in [**SSL/TLS** > **Edge Certificates**](#edge-certificate-settings). +- Various settings on the [**Edge Certificates**](#edge-certificate-settings) page. - A misconfigured [redirect rule](#redirect-rules). :::note diff --git a/src/content/docs/ssl/troubleshooting/version-cipher-mismatch.mdx b/src/content/docs/ssl/troubleshooting/version-cipher-mismatch.mdx index cd597b1160f5fb6..b4ca83aede26452 100644 --- a/src/content/docs/ssl/troubleshooting/version-cipher-mismatch.mdx +++ b/src/content/docs/ssl/troubleshooting/version-cipher-mismatch.mdx @@ -51,7 +51,7 @@ If your visitors experience `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` (Chrome) or `SS 1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). 2. Choose your account and domain. -3. Go to **SSL** > **Edge Certificates**. +3. Go to the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. 4. Find the certificate with the **Type** of **Universal**. 5. Make sure the **Status** is **Active**. diff --git a/src/content/partials/ssl/acm-validate-cert.mdx b/src/content/partials/ssl/acm-validate-cert.mdx index b7c0442b9204788..28d8bc6f0d5532f 100644 --- a/src/content/partials/ssl/acm-validate-cert.mdx +++ b/src/content/partials/ssl/acm-validate-cert.mdx @@ -5,5 +5,5 @@ To check whether your certificates have been validated and reissued: -* **Dashboard**: Find the certificate(s) **SSL/TLS** > **Edge Certificates** and make sure that the **Status** is **Active**. +* **Dashboard**: Find the certificate(s) on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page and make sure that the **Status** is **Active**. * **API**: Send a [`GET`](/api/resources/ssl/subresources/certificate_packs/methods/list/) request and confirm that your certificate(s) have `"status": "active"`. diff --git a/src/content/partials/ssl/aop-enable-feature.mdx b/src/content/partials/ssl/aop-enable-feature.mdx index e66e014036905f4..fbb65c21cf8d6c2 100644 --- a/src/content/partials/ssl/aop-enable-feature.mdx +++ b/src/content/partials/ssl/aop-enable-feature.mdx @@ -2,7 +2,7 @@ {} --- -import { TabItem, Tabs } from "~/components"; +import { TabItem, Tabs, DashButton } from "~/components"; Then, enable the Authenticated Origin Pulls feature as an option for your Cloudflare zone. @@ -12,9 +12,11 @@ This step sets the TLS Client Auth to require Cloudflare to use a client certifi To enable **Authenticated Origin Pulls** in the dashboard: -1. Log in to your [Cloudflare account](https://dash.cloudflare.com) and go to a specific domain. -2. Go to **SSL/TLS** > **Origin Server**. -3. For **Authenticated Origin Pulls**, switch the toggle to **On**. +1. In the Cloudflare dashboard, go to the **Origin Server** page. + + + +2. For **Authenticated Origin Pulls**, switch the toggle to **On**. :::caution diff --git a/src/content/partials/ssl/txt-validation-dashboard.mdx b/src/content/partials/ssl/txt-validation-dashboard.mdx index 77280dddbe793a6..e32eed0b158c9b1 100644 --- a/src/content/partials/ssl/txt-validation-dashboard.mdx +++ b/src/content/partials/ssl/txt-validation-dashboard.mdx @@ -3,10 +3,13 @@ --- -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com). -2. Choose your account and domain. -3. Go to **SSL/TLS** > **Edge Certificates**. -4. Select a certificate. -5. Copy the values for **Certificate validation TXT name** and **Certificate validation TXT value**. +import { DashButton } from "~/components"; + +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + + + +2. Select a certificate. +3. Copy the values for **Certificate validation TXT name** and **Certificate validation TXT value**. If you had created a **wildcard** certificate, you would need to copy the values for two different validation TXT records.