docs: improve https with cdn guide

content/docs/tech-resources/enabling-https-engagement-tracking-on-sparkpost.md

@@ -713,19 +713,17 @@ To enable SparkPost to record human-driven repeat opens/clicks, while screening
 
 ## Switch tracking domain to secure, and validate
 
-If you have previously created a tracking domain (whether verified or unverified), and wish to switch it from insecure (the default) to secure, use the [Update a Tracking Domain API](https://developers.sparkpost.com/api/tracking-domains/#tracking-domains-put-update-a-tracking-domain) `PUT` call, to update the tracking domain with the `"secure": true` string.
+If you have previously created a tracking domain (whether verified or unverified), and wish to switch it from insecure (the default) to secure, follow the steps below:
 
-1. Run the PUT call with the following data:
+1. Navigate to the details page of your domain. In the _HTTPS_ section, you will see _HTTPS Disabled_ as the current status.
 
-    ```
-    {
-        "secure"  : true
-    }
-    ```
+   ![](media/enabling-https-engagement-tracking-on-sparkpost/enable_https_cdn.png)
+
+   Under _Choose how to enable HTTPS_, select the option _Certificate managed by CDN or reverse proxy (Advanced)_ and then click on _Enable HTTPS_ to proceed. After a page refresh, the section will now show _HTTPS Enabled via self-managed infrastructure_.
 
-    Note: If you would like this tracking domain to be the default, please add `"default": true` to the JSON object above, before updating the domain.
+   ![](media/enabling-https-engagement-tracking-on-sparkpost/https_enabled_cdn.png)
 
-    Detailed information on this operation can be found in our API documentation [here](https://developers.sparkpost.com/api/tracking-domains.html#tracking-domains-retrieve,-update,-and-delete-put).
+   Now, the tracking domain is secure.
 
 1. Navigate to the Tracking Domains section in the UI and click the  "test" verification button.
 

content/docs/tech-resources/managed-https-for-tracking-domains.md

@@ -63,7 +63,7 @@ SparkPost provides different types of tracking endpoints:
 | SparkPost US V2 | `v2.spgo.io` | Yes | Yes |
 | SparkPost EU V2 | `eu.v2.spgo.io` | Yes | Yes |
 
-**To use managed HTTPS, your tracking domain must use a [V2 endpoint](#tracking-endpoints).** (`v2.spgo.io` for US accounts or `eu.v2.spgo.io` for EU accounts). New tracking domains created after December, 2025, automatically use V2 endpoints.
+**To use managed HTTPS, your tracking domain must use a V2 endpoint** (`v2.spgo.io` for US accounts or `eu.v2.spgo.io` for EU accounts). New tracking domains created after December, 2025, automatically use V2 endpoints.
 
 ## Enabling Managed HTTPS
 
@@ -96,9 +96,9 @@ If a tracking domain was not yet configured to use HTTPS, it's possible to do so
 
 1. Navigate to the details page of your insecure domain. In the _HTTPS_ section, you will see _HTTPS Disabled_ as the current status.
 
-   ![](media/managed-https-for-tracking-domains/insecure_domain_enable.png)
+   ![](media/managed-https-for-tracking-domains/enable_https_managed.png)
 
-   Under _Choose how to enable HTTPS_, make sure the default option _SparkPost manages TLS certificate_ is selected. Click on _Enable HTTPS_ to proceed.
+   Under _Choose how to enable HTTPS_, make sure the default option _Certificate managed by SparkPost (Recommended)_ is selected. Click on _Enable HTTPS_ to proceed.
 
 2. Follow the wizard instructions to verify if the domain supports managed HTTPS.
 
@@ -163,6 +163,27 @@ Let's Encrypt certificates are valid for 90 days and SparkPost will renew automa
 
 ## Troubleshooting
 
+### Testing the managed certificate
+
+You can test that your tracking domain is being secured by a Let's Encrypt certificate with the following command:
+
+```sh
+curl -v https://track.yourdomain.com/f/a/b/c/d
+```
+
+The output will show the TLS negotiation including info on the certificate served by SparkPost for your domain. Example:
+
+```
+*  subject: CN=tracking.myboxdemo.space
+*  start date: Jan 27 19:09:17 2026 GMT
+*  expire date: Apr 27 19:09:16 2026 GMT
+*  subjectAltName: host "tracking.myboxdemo.space" matched cert's "tracking.myboxdemo.space"
+*  issuer: C=US; O=Let's Encrypt; CN=E8
+*  SSL certificate verify ok.
+```
+
+Note: If DNS changes have not fully propagated, this command can instead show the previously used certificate. Try again later.
+
 ### Certificate stuck in _Pending_ status
 
 If your certificate remains in Pending status for more than 30 minutes: