cloudflare · TownLake · Nov 10, 2020 · Nov 5, 2020 · Nov 5, 2020
@@ -4,9 +4,10 @@ order: 2
 
 # Mutual TLS authentication
 
-<Aside>
+<Aside type='warning' header='Important'>
+
+Cloudflare Access can add mTLS to your application, but it requires a Cloudflare enterprise plan. To enforce mTLS in your application with Access, please contact your Cloudflare customer success manager.
 
-Cloudflare Access can add mTLS to your application, but it requires a Cloudflare enterprise plan. To enforce mTLS in your application with Access, please contact your Cloudflare Customer Success Manager.
 </Aside>
 
 Mutual TLS (mTLS) authentication ensures that traffic is both secure and trusted in both directions between a client and server. It allows requests that do not log in with an identity provider (like IoT devices) to demonstrate that they can reach a given resource. Client certificate authentication is also a second layer of security for team members who both log in with an identity provider (IdP) and present a valid client certificate.
@@ -25,6 +26,12 @@ To enforce mTLS authentication from the [Teams dashboard](https://dash.teams.clo
 
     ![Root CA](../static/mtls-test/add-mtls.png)
 
+<Aside type='warning' header='Important'>
+
+The mTLS certificate is used **only** to verify the client certificate. It does **not** control the SSL certificate presented during the [server hello](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/).
+
+</Aside>
+
 3. Paste the content of the `ca.pem` file in the Certificate content field.
 
 4. Assign the Root CA a name and add the fully-qualified domain names (FQDN) that will use this certificate.
@@ -189,9 +196,11 @@ The instructions here cover usage with a computer running MacOS.
 
 1. In the same working directory, run the following command to add the client certificate into the MacOS Keychain.
 
-<Aside>
 
-Warning: this will add the client certificate to the trusted store on your device. Only proceed if you are comfortable doing so and intend to keep these testing certificates safeguarded.
+<Aside type='warning' header='Important'>
+
+The command adds the client certificate to the trusted store on your device. **Only** proceed if you are comfortable doing so and intend to keep these testing certificates safeguarded.
+
 </Aside>
 
 ```sh

@@ -4,14 +4,24 @@ order: 200
 
 # Mutual TLS authentication
 
-<div class="notices info">
+<Aside type='note' header='Note'>
+
 Cloudflare Access can add mTLS to your application, but it requires a Cloudflare enterprise plan. To enforce mTLS in your application with Access, please contact your Cloudflare Customer Success Manager.
-</div>
+
+</Aside>
 
 Mutual TLS (mTLS) authentication ensures that traffic is both secure and trusted in both directions between a client and server. It allows requests that do not log in with an identity provider (like IoT devices) to demonstrate that they can reach a given resource. Client certificate authentication is also a second layer of security for team members who both log in with an identity provider (IdP) and present a valid client certificate.
 
 With a root certificate authority (CA) in place, Access only allows requests from devices with a corresponding client certificate. When a request reaches the application, Access responds with a request for the client to present a certificate. If the device fails to present the certificate, the request is not allowed to proceed. If the client does have a certificate, Access completes a key exchange to verify.
 
+<Aside type='warning' header='Important'>
+
+The certificate presented by our edge as part of the server hello is our usual edge certificate (such as our custom or universal certificate).
+
+When you configure mTLS in Cloudflare Access, you must upload a certificate. This certificate is **only** used to verify the client certificate during the handshake. The mTLS configuration does not control the edge SSL certificate presented in the server hello.
+
+</Aside>
+
 ![mTLS Diagram](../static/mtls.png)
 
 ## Add mTLS authentication to your Access configuration