[CF1] signing cert clarification (cloudflare#22699)

deadlypants1973 · aw-cf · sdnts · commit 1bcfcb349faf · 2025-07-24T16:06:01.000-04:00
* [CF1] signing cert clarification

* signing cert clarification

* more wording

* Apply suggestions from code review

Co-authored-by: Andreas &lt;aweinlein@cloudflare.com&gt;

---------

Co-authored-by: Andreas &lt;aweinlein@cloudflare.com&gt;
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx
@@ -78,7 +78,7 @@ openssl x509 -in <CUSTOM-ROOT-CERT>.pem -text
 
 <TabItem label="API">
 
-1. <Render file="upload-mtls-cert" params={{ one: " " }} />
+1. <Render file="upload-mtls-cert" params={{ one: " ", cert: "root CA" }} />
 
 2. Set the certificate as available for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/). This will deploy the certificate across the Cloudflare global network.
 
diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/client-certificate.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/client-certificate.mdx
@@ -7,7 +7,7 @@ sidebar:
 
 import { Details, Render, TabItem, Tabs } from "~/components";
 
-The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.
+The Client Certificate device posture attribute checks if the device has a valid client certificate signed by a trusted certificate. The trusted certificate is uploaded to Cloudflare and specified as part of the posture check rule. The client certificate posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.
 
 <Details header="Feature availability">
 
@@ -30,6 +30,15 @@ The Client Certificate device posture attribute checks if the device has a valid
 ## Prerequisites
 
 - A CA that issues client certificates for your devices. WARP does not evaluate the certificate trust chain; this needs to be the issuing certificate.
+
+  :::note[Upload the signing certificate that issued the client certificate]
+
+  When uploading a certificate to use in posture checks, Cloudflare does not differentiate between root and intermediate certificates. You must upload the actual signing certificate – the one that directly signed the client certificate.
+
+  If you upload a different certificate, even if it exists higher up in the trust chain (for example, the root that issued the signing certificate), the posture check will fail.
+
+  :::
+
 - Cloudflare WARP client is [deployed](/cloudflare-one/connections/connect-devices/warp/deployment/) on the device.
 - A client certificate is [installed and trusted](#configure-the-client-certificate-check) on the device.
 
@@ -44,6 +53,7 @@ You can use the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access
    	file="upload-mtls-cert"
    	params={{
    		one: "The private key is only required if you are using this custom certificate for Gateway HTTPS inspection.",
+   		cert: "signing certificate",
    	}}
    />
 
@@ -70,7 +80,7 @@ You can use the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access
       	private key must be in `PEM` format. They can either be in two different
       	files or the same file.
       </Details>
-   4. **Certificate ID**: Enter the UUID of the root CA.
+   4. **Certificate ID**: Enter the UUID of the signing certificate.
    5. **Common name**: (Optional) To check for a specific common name on the client certificate, enter a string with optional `${serial_number}` and `${hostname}` variables (for example, `${serial_number}_mycompany`). WARP will search for an exact, case-insensitive match. If you do not specify a common name, WARP will ignore the common name field on the certificate.
    6. **Check for Extended Key Usage**: (Optional) Check whether the client certificate has one or more attributes set. Supported values are **Client authentication** (`1.3.6.1.5.5.7.3.2`) and/or **Email** (`1.3.6.1.5.5.7.3.4`).
    7. **Check for private key**: (Recommended) When enabled, WARP checks that the device has a private key associated with the client certificate.
@@ -183,4 +193,4 @@ Certificate:
 
 </Tabs>
 
-For the posture check to pass, a certificate must appear in the output that validates against the uploaded root CA.
+For the posture check to pass, a certificate must appear in the output that validates against the uploaded signing certificate.
diff --git a/src/content/partials/cloudflare-one/upload-mtls-cert.mdx b/src/content/partials/cloudflare-one/upload-mtls-cert.mdx
@@ -4,7 +4,7 @@ inputParameters: param1
 
 import { Markdown } from "~/components";
 
-Use the [Upload mTLS certificate endpoint](/api/resources/mtls_certificates/methods/create/) to upload the certificate and private key to Cloudflare. The certificate must be a root CA, formatted as a single string with `\n` replacing the line breaks. {props.one}
+Use the [Upload mTLS certificate endpoint](/api/resources/mtls_certificates/methods/create/) to upload the certificate and private key to Cloudflare. The certificate must be a {props.cert}, formatted as a single string with `\n` replacing the line breaks. {props.one}
 
 ```sh
 curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/mtls_certificates" \
