diff --git a/menu/navigation.json b/menu/navigation.json
index fecbe3aa4c..c2cd7458ee 100644
--- a/menu/navigation.json
+++ b/menu/navigation.json
@@ -3887,14 +3887,6 @@
{
"label": "Equivalence between S3 actions and IAM permissions",
"slug": "s3-iam-permissions-equivalence"
- },
- {
- "label": "SSL/TLS certificates for Edge Services",
- "slug": "ssl-tls-certificate"
- },
- {
- "label": "CNAME records for Edge Services",
- "slug": "cname-record"
}
],
"label": "Additional Content",
diff --git a/storage/object/reference-content/assets/scaleway-cert-expired.webp b/network/edge-services/reference-content/assets/scaleway-cert-expired.webp
similarity index 100%
rename from storage/object/reference-content/assets/scaleway-cert-expired.webp
rename to network/edge-services/reference-content/assets/scaleway-cert-expired.webp
diff --git a/storage/object/reference-content/assets/scaleway-edge-services-cname-error.webp b/network/edge-services/reference-content/assets/scaleway-edge-services-cname-error.webp
similarity index 100%
rename from storage/object/reference-content/assets/scaleway-edge-services-cname-error.webp
rename to network/edge-services/reference-content/assets/scaleway-edge-services-cname-error.webp
diff --git a/storage/object/reference-content/assets/scaleway-edge-services-configure-domain.webp b/network/edge-services/reference-content/assets/scaleway-edge-services-configure-domain.webp
similarity index 100%
rename from storage/object/reference-content/assets/scaleway-edge-services-configure-domain.webp
rename to network/edge-services/reference-content/assets/scaleway-edge-services-configure-domain.webp
diff --git a/storage/object/reference-content/assets/scaleway-edge-services-dashboard-error.webp b/network/edge-services/reference-content/assets/scaleway-edge-services-dashboard-error.webp
similarity index 100%
rename from storage/object/reference-content/assets/scaleway-edge-services-dashboard-error.webp
rename to network/edge-services/reference-content/assets/scaleway-edge-services-dashboard-error.webp
diff --git a/network/edge-services/reference-content/cname-record.mdx b/network/edge-services/reference-content/cname-record.mdx
new file mode 100644
index 0000000000..46bc01a5d5
--- /dev/null
+++ b/network/edge-services/reference-content/cname-record.mdx
@@ -0,0 +1,93 @@
+---
+meta:
+ title: CNAME records and DNS for Edge Services
+ description: Learn how to set up and manage CNAME records for Scaleway Edge Services pipelines. Follow our detailed guide to configure your custom domain and enhance your cloud accessibility.
+content:
+ h1: CNAME records and DNS for Edge Services
+ paragraph: Learn how to set up and manage CNAME records for Scaleway Edge Services pipelines. Follow our detailed guide to configure your custom domain and enhance your cloud accessibility.
+tags: edge-services pipeline cname dns
+dates:
+ validation: 2024-07-25
+categories:
+ - network
+---
+
+This document contains information to help you successfully create a CNAME record for your customized [Edge Services](/network/edge-services/) domain, and troubleshoot any potential DNS problems.
+
+## What is a CNAME record?
+
+A **C**anonical **Name** (CNAME) record is a type of [DNS record](/network/domains-and-dns/concepts/#dns-record). Generally, DNS records hold information for translating a domain or subdomain to an IP address, mail server or other domain/subdomain. They are crucial in directing internet traffic to the correct servers. More specifically, CNAME records map one domain name (an alias) to another (the canonical name).
+
+A CNAME record may look like the following:
+
+| Hostname / Alias | Destination / Canonical Name |
+|----------------------------|-------------------------------|
+| `videos.example.com` | `otherdomain.com` |
+
+In this case, when a DNS server sees this record for `videos.example.com` it will know not to direct traffic to `videos.example.com`'s own IP address, but to that of `otherdomain.com`. It will find `othercomain.com`'s IP address via its [A record](/network/domains-and-dns/reference-content/understanding-dns-records/#a-record).
+
+When the client actually connects to `otherdomain.com`'s IP address, the web server can see that the requested URL was `videos.example.com`, and deliver the relevant content.
+
+## When and why do I need to create a CNAME record for Edge Services?
+
+When you create an Edge Services pipeline to an [origin](/network/edge-services/concepts/#origin) (Object Storage bucket or Load Balancer), initially the origin content is served through the standard Edge Services endpoint, e.g. `pipeline-id-or-bucket-name.svc.edge.scw.cloud`. If you do not want to customize the standard Edge Services endpoint, you do not need to worry about CNAME records.
+
+However, if you choose to [customize your Edge Services endpoint with your own subdomain](/network/edge-services/how-to/configure-custom-domain/), a CNAME record must be created to point your subdomain to the Edge Services endpoint.
+
+ - If your domain is managed with [Scaleway Domains and DNS](/network/domains-and-dns/quickstart/), we take care of auto-generating the appropriate CNAME record for you, as well as deleting it if and when you deactivate Edge Services. There is no action for you to take. You should not attempt to modify or delete the CNAME record (which will be visible among your Domains and DNS records in the console).
+ - If your domain is managed by an external provider, Scaleway is unable to create the appropriate CNAME record for you. You will be prompted, as part of the process for customizing your Edge Services domain, to create this record yourself with your domain provider.
+
+ TODO CHECK
+
+## How to create a CNAME record
+
+Log into your domain provider, and locate the DNS settings for your domain. Create a new CNAME record pointing your subdomain to the Edge Services endpoint for your bucket or Load Balancer origin. This endpoint can be retrieved from the Scaleway console.
+
+The interface used by different domain providers varies, but creating your CNAME record may look like one of the following examples:
+
+| Record | Destination |
+|--------------------------------------------|------------------------------------------|
+| `my-chosen-subdomain.beautiful-domain.com` | `pipeline-id-or-bucket-name.svc.edge.scw.cloud.` |
+
+| Subdomain | Target host |
+|--------------------------------------------|------------------------------------------------|
+| `my-chosen-subdomain` | `pipeline-id-or-bucket-name.svc.edge.scw.cloud.` |
+
+| Host record | Points to |
+|--------------------------------------------|------------------------------------------------|
+| `my-chosen-subdomain` | `pipeline-id-or-bucket-name.svc.edge.scw.cloud.` |
+
+| `my-chosen-subdomain` | Record Type | Value |
+|--------------------------------------------|-----------------|------------------------------------------------|
+| `@` | `CNAME` | is an alias of `pipeline-id-or-bucket-name.svc.edge.scw.cloud.`|
+
+
+The trailing dot at the end of the target endpoint (`pipeline-id-or-bucket-name.svc.edge.scw.cloud.`) is implicitly added by some domain and DNS providers, and must be explicitly added for others. Check with yours whether the dot is necessary.
+
+
+You may also see a `TTL` field, which stands for **T**ime **T**o **L**ive. This tells the DNS resolver how long it can cache this record, before it must re-check the origin source in case something has changed. TTL is measured in seconds, and the default value is usually 12 hours (43200 seconds) or 24 hours (86400 seconds).
+
+ ## Troubleshooting DNS and subdomain errors
+
+When setting up your customized subdomain with Edge Services, you have the option to carry out a verification check on the CNAME record (if your domain is managed with an external provider). Edge Services will query the subdomain and check that it resolves correctly to the Edge Services endpoint. If there is a problem, you will see an error message:
+
+ TODO CHECK
+
+An error message may also display at a later point from your Edge Services dashboard if a problem is detected at any point with your CNAME record or subdomain:
+
+ TODO CHECK
+
+See the table below for help with troubleshooting these errors:
+
+| Error message | Solution |
+|-------------------------------------------|---------------------------------------------------------------------|
+| No CNAME record found | Make sure you have created a valid DNS record of type **CNAME** (not **A**, **AAAA** or another type), where your subdomain points to the Edge Services endpoint. |
+| Incorrect CNAME | Make sure your CNAME record points to the Edge Services endpoint in the format `bucket-name.svc.edge.scw.cloud.`, and that you have replaced `pipeline-id-or-bucket-name` with the name of your bucket in the case of an Object Storage origin, or the pipeline ID in the case of a Load Balancer origin. |
+| Domain does not exist | You must own the domain name you are attempting to configure. If you do not already own the domain name, you cannot create a subdomain or CNAME record for it. Register the domain name, for example using our [Domains and DNS](/network/domains-and-dns/how-to/register-internal-domain/) product, then create a CNAME record for the subdomain. Otherwise, ensure you did not make a typo when entering the domain name into the Scaleway console. |
+| scw.cloud is forbidden | You cannot use subdomains of the `scw.cloud` domain, as the domain is owned and managed by Scaleway and you cannot create DNS records for it. Use your own domain and subdomain. |
+| Invalid Top Level Domain | Make sure the Top-Level Domain (e.g. `.com`, `.fr`) you entered is correct. |
+| Root domain not allowed | You cannot use a root domain alone to customize Edge Services (e.g. `example.com`. Make sure you use a subdomain (e.g. `blog.example.com`)) | |
+| Subdomain must be a correctly-formatted, fully-qualified subdomain name | Make sure the subdomain name you entered is [correctly formatted](https://en.wikipedia.org/wiki/Domain_name#Domain_name_syntax), e.g. `foo.example.fr`. |
+| Record already exists for this FQDN in your DNS zone | Choose a different subdomain, or delete the existing DNS record. |
+
+Note that if your domain is managed by Scaleway Domains and DNS and you therefore have an auto-created CNAME record, you should **not** attempt to delete it or modify it in any way. Scaleway will take care of deleting the CNAME record if and when you deactivate Edge Services.
diff --git a/network/edge-services/reference-content/ssl-tls-certificate.mdx b/network/edge-services/reference-content/ssl-tls-certificate.mdx
new file mode 100644
index 0000000000..2752204e9c
--- /dev/null
+++ b/network/edge-services/reference-content/ssl-tls-certificate.mdx
@@ -0,0 +1,231 @@
+---
+meta:
+ title: SSL/TLS Certificates for Edge Services
+ description: Discover how to configure SSL/TLS certificates for Scaleway Edge Services pipelines. Follow our comprehensive guide to secure your custom domains and ensure data protection.
+content:
+ h1: SSL/TLS Certificates for Edge Services
+ paragraph: Discover how to configure SSL/TLS certificates for Scaleway Edge Services pipelines. Follow our comprehensive guide to secure your custom domains and ensure data protection.
+tags: edge-services pipeline ssl-tls certificate ssl tls pem certificate-authority root-certificate pem chain ca
+dates:
+ validation: 2024-07-25
+categories:
+ - network
+---
+
+This document contains information to help you with SSL/TLS certificates that enable your origin bucket or Load Balancer content to be served over HTTPS, through your customized [Edge Services](/network/edge-services/) domain.
+
+## Introduction
+
+### What is an SSL/TLS certificate?
+
+An SSL/TLS certificate is a digital certificate that enables an encrypted connection between a client and a web server over HTTPS.
+
+You may hear certificates referred to as “SSL certificates”, “TLS certificates” or “SSL/TLS certificates”. These are all the same thing. SSL (Secured Socket Layer) was the protocol initially used for encryption, though it has now been replaced with TLS (Transport Layer Security).
+
+SSL/TLS certificates contain a **public key**, which corresponds to a separate **private key**. These work as a pair. When a client wants to establish an encrypted connection to a host, it requests the host's certificate. The host shares the certificate, which includes the public key (the private key is never shared and is kept by the host). The client checks the certificate, and uses the host's public key to encrypt the data that it transfers to the host. The host uses its private key to decrypt the data that has been encrypted by the public key.
+
+The private key is also used by the host for generating digital signatures, while the public key is used by clients for verifying those signatures.
+
+### When and why do I need an SSL/TLS certificate for Edge Services?
+
+When you enable Edge Services, initially your [origin's](/network/edge-services/concepts/#origin) content is served through the standard Edge Services endpoint, e.g. `https://pipeline-id-or-bucket-name.svc.edge.scw.cloud`. Scaleway's own SSL/TLS certificate, which covers this subdomain, is used to establish the encrypted connection between client and host. If you do not want to customize the standard Edge Services endpoint, you do not need to worry about creating SSL/TLS certificates.
+
+However, if you choose to [customize your Edge Services endpoint with your own subdomain](/network/edge-services/how-to/configure-custom-domain/), Scaleway's own SSL/TLS certificate can no longer be used to establish encrypted connections to your subdomain. Client connections are now initially going to a different domain which needs to be "guaranteed" by its own certificate (despite the CNAME record for the subdomain pointing to the Scaleway endpoint).
+
+Therefore, when you customize your Edge Services endpoint with a subdomain, you are prompted to generate or upload an SSL/TLS certificate for that subdomain.
+
+
+Even if you have an Edge Services pipeline for a Load Balancer origin, and you have already configured your Load Balancer with a certificate for HTTPS (using Let's Encrypt or a custom certificate), you will still need to follow the steps of this document to provide a certificate for your Edge Services pipeline's customized domain.
+
+
+## How can I provide an SSL/TLS certificate for my Edge Services customized domain?
+
+You will be prompted to choose one of the following options when [customizing your domain](/network/edge-services/how-to/configure-custom-domain/):
+
+- **Generate a Let's Encrypt certificate**: Scaleway generates a free, managed Let's Encrypt certificate for your domain and automatically renews it as necessary.
+
+- **Select an existing certificate from Secret Manager**: You select a certificate that you have already uploaded in [Scaleway Secret Manager](/identity-and-access-management/secret-manager/quickstart/).
+
+- **Manually import a certificate into Secret Manager**: You can manually create your own certificate and import it. It will be stored in Scaleway Secret Manager (check the [dedicated pricing page](https://www.scaleway.com/en/pricing/?tags=securityandidentity)).
+
+## Generating a managed Let's Encrypt certificate
+
+This is the hassle-free option if you do not want to create or manage your own SSL/TLS certificate. Scaleway takes care of generating a certificate for your customized domain in the correct format. The certificate is automatically renewed before it expires. This option is available for free: it costs you nothing for Scaleway to generate and manage a Let's Encrypt certificate for your domain.
+
+You must ensure that you have correctly set the [CNAME record](/network/edge-services/reference-content/cname-record/) for your domain. Without having done this, the Let's Encrypt certificate option in the console will not be available. It is also important to check the CNAME is correctly set up so that the certificate is properly generated and reviewed.
+
+Note that you will not have access to the generated certificate itself in Secret Manager or elsewhere. It is ent pipelineirely generated and managed "behind the scenes", and is not configurable by the user. If you reset your domain, or delete your Edge Services, Scaleway automatically deletes the generated Let's Encrypt certificate.
+
+### Troubleshooting
+
+#### Errors
+
+If there is a problem generating your managed Let's Encrypt certificate, an error will be displayed. See the table below for help resolving these errors.
+
+| Error | Solution |
+| ------------------------------------------------------------------------|---------------------------------------------------------------------|
+| Too many certificates already issued for this domain | Wait, before retrying. This error occurs when you hit the limit of generating 50 Let's Encrypt certificates in a rolling 7 day period for the same domain. |
+| Internal managed certificate error | [Open a support ticket](https://console.scaleway.com/support/tickets/create). There has been an unspecified error in generating a managed Let's Encrypt certificate for your subdomain. |
+| Certificate cannot be renewed - Your CNAME record is no longer accurate | Your CNAME record has either been deleted or modified. Without a correct CNAME record, we cannot renew your managed Let's Encrypt certificate. [Rectify your CNAME record](/network/edge-services/reference-content/cname-record/#how-to-create-a-cname-record), and when Edge Services detects the correct record exists, your certificate will be automatically renewed. |
+
+## Using your own certificate
+
+If you wish to use your own certificate, rather than the option of generating a managed Let's Encrypt certificate, take into account the following points.
+
+### Accepted certificate types
+
+Types of validation:
+
+- ❌ **Self-signed certificates**. Certificates for Edge Services must be signed by a Certificate Authority (CA)
+- ✅ **Domain Validated Certificate**. The CA simply checks that the applicant owns the domain.
+- ✅ **Extended/Organization Validation Certificate**. The applicant must pass more in-depth validation procedures and checks by the CA.
+
+Types of domain coverage:
+
+- ✅ **Single domain certificate**. Secures a single domain or subdomain. Note that the certificate must be for `your-sub.domain.com`, where the subdomain corresponds to the [subdomain for Edge Services](/network/edge-services/how-to/configure-custom-domain/). A single domain certificate simply for `yourdomain.com` would not be acceptable, as it would not cover the subdomain for Edge Services.
+- ✅ **Wildcard certificate**. Secures multiple subdomains for a domain, using a wildcard `*` symbol. The **Common Name** of the certificate should look like `*.yourdomain.com`.
+- ✅ **Multi-domain (MD) / Subject Alternative Name (SAN) / Unified Communications Certificate (UCC) certificate**. Secures multiple explicitly-defined fully qualified domain names (`www.yourfirstdomain.com`, `sub.yourfirstdomain.com`, `yourfirstdomain.com`, `yourseconddomain.com`, `sub.yourseconddomain.com` etc.)
+
+### PEM format certificate chain
+
+Edge Services requires that you import your certificate as a PEM-formatted certificate chain, which includes the private key. PEM format is Base64 encoded ASCII, and by definition includes lines stating `-----BEGIN x-----` and `-----END x-----`.
+
+Your PEM formatted certificate chain should look like this:
+
+```
+-----BEGIN PRIVATE KEY-----
+(private key here)
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+(primary certificate (aka server certificate) here)
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+(intermediate certificate here)
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+(root certificate here)
+-----END CERTIFICATE-----
+```
+
+| Section | Contains | Subject (issued for) | Issued and signed by |
+|--------------------------|------------------------------------------------------------------|------------------------|----------------------|
+| Private key | The private key file for the certificate | | |
+| Primary/server certificate | The certificate issued by the CA for your domain name | Your name and public key | CA |
+| Intermediate certificate | The intermediate certificate chaining your primary certificate to the root certificate | CA's name and public key. | Root CA |
+| Root certificate | The root certificate by the CA, for the trusted CA itself | The Root CA's name and public key | Root CA (self signed) |
+
+Note that in certain cases an intermediate certificate may not be necessary, if the root certificate chains directly to the primary/server certificate. The crucial thing is that the subject and issuers of each certificate form a coherent chain of validation. If a certificate is issued by an authority that is not present in the chain, an error will occur.
+
+
+
+You can use the [OpenSSL](https://www.openssl.org/) utility to convert certificates and keys from other formats to PEM, from the command line. Once installed, use a command like the following:
+
+```sh
+openssl x509 -in cert.crt -out cert.pem
+```
+
+```sh
+openssl x509 -in cert.der -out cert.pem
+```
+
+```sh
+openssl x509 -in cert.cer -out cert.pem
+```
+
+When you have your key, your server certificate and your root certificate all in separate files, you can use the `cat` command to chain them together into one file, ready to be copied and pasted:
+
+```sh
+cat private_key.pem cert.pem root_cert.pem > cert_chain.pem
+```
+
+
+
+### Tips for creating a certificate
+
+In general, SSL/TLS certificates can either be **self-signed** (signed by the subject of the certificate, e.g. the owner of the domain) or **CA-signed** (signed by a third party **C**ertificate **A**uthority which is publicly trusted).
+
+**Self-signed certificates cannot be used with Edge Services, all certificates must be signed by a CA that is known and trusted by Edge Services.**
+
+To get an SSL/TLS certificate for your domain or subdomain, you need to generate a Certificate Signing Request (CSR) and submit it to a Certificate Authority (CA) for them to validate your domain, who then send you a signed certificate. You may be able to carry out this procedure via your hosting provider, or from the command line.
+
+CAs of private companies whose primary business is not SSL or domains may not be trusted by Edge Services. If you encounter a self-signed certificate error with Edge Services, but you believe your certificate is legitimately signed by an official CA, [open a support ticket](https://console.scaleway.com/support/tickets) to tell us.
+
+
+
+To get a working Let's Encrypt certificate using certbot on the command line, follow the steps below:
+
+1. Install [certbot](https://certbot.eff.org/) on your machine.
+2. Open a terminal and run the following command, inserting your subdomain where shown:
+ ```bash
+ sudo certbot certonly --manual --preferred-challenges dns -d
+ ```
+ The command returns a token and asks you to create a TXT record in your DNS.
+3. Go to your domain/DNS provider and create a TXT record. The record name should be `_acme-challenge.your-subdomain.your-domain.ext` and the record must contain the token provided by certbot. Make sure the record has a short TTL in case you have to modify it for debugging purposes.
+4. Return to the terminal and press `Enter` once your record is ready.
+ Certbot starts the verification process. If it succeeds, the certificate is downloaded to your machine in two files: the private key and the certificate.
+5. Concatenate the two files into one, using the following command:
+ ```bash
+ cat privkey.pem fullchain.pem > certificate.pem
+ ```
+6. Delete the TXT record from your DNS.
+
+
+
+### Uploading your certificate
+
+When you [configure your customized domain](/network/edge-services/how-to/configure-custom-domain/) with Edge Services for the first time, you are prompted to upload your certificate. You can do so in two ways:
+
+ - Select an existing certificate that you have stored in a secret in [Scaleway Secret Manager](/identity-and-access-management/secret-manager/quickstart/). The secret must be of the **certificate** type in order to be visible to Edge Services. The type can be defined when creating a secret via the [API](https://www.scaleway.com/en/developers/api/secret-manager/#path-secrets-create-a-secret), but not via the console. For that reason, if you prefer to use the console to create your certificates, we suggest using the next option:
+ - Manually import a certificate into Scaleway Secret Manager, directly from the Edge Services **Configure domain** wizard (copy and paste the PEM formatted chain). Your certificate will be automatically stored in Secret Manager, held in a secret that automatically inherits the type "certificate".
+
+### Keeping your certificate up to date
+
+SSL/TLS certificates all expire at some point. If your certificate expires before you upload a new one, you will see an error like this on your Edge Services dashboard:
+
+ TODO CHECK
+
+You must renew your certificate or create a new one. A number of tools are available to ensure that certificates are automatically renewed before expiry, for example [Certbot for LetsEncrypt](https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates). However, since Certbot or other tools for automatically renewing certificates are not currently integrated into Edge Services, you will need to manually update the certificate via the Scaleway console.
+
+When you have your up to date certificate, go to [Secret Manager](https://console.scaleway.com/secret-manager/secrets) in the console, and access the secret that contains your certificate. [Create a new version](/identity-and-access-management/secret-manager/how-to/create-version/) of the secret, to hold the up to date certificate. Edge Services will automatically detect and use the most recent enabled version of the secret. You can nonetheless choose to disable or delete the old version(s) as you prefer, which will also save your billing costs (since you are billed per version).
+
+
+
+If you change your customized subdomain to something new, you will need to generate and import a new certificate for that subdomain. In this case, it is recommended to create a new [secret](/identity-and-access-management/secret-manager/concepts/#secret) to hold the new certificate, rather than creating a new version of an existing secret.
+
+
+
+### Troubleshooting
+
+#### Errors
+
+If Edge Services detects a problem with your certificate, an error will be displayed. See the table below for help resolving these errors.
+
+| Error | Solution |
+|-------------------------------------------------------------------------|---------------------------------------------------------------------|
+| Certificate format | Make sure your certificate is in [PEM format](#pem-format-certificate-chain). |
+| Certificate private key format | Make sure your private key is in [PEM format](#pem-format-certificate-chain).|
+| Missing server certificate | Make sure the server certificate (which validates your own subdomain) is included in the [PEM-formatted chain](#pem-format-certificate-chain).|
+| Missing private key | Make sure your private key is included in the [PEM-formatted chain](#pem-format-certificate-chain).|
+| Missing root certificate | Make sure a valid root certificate is included in the [PEM-formatted chain](#pem-format-certificate-chain). |
+| Wrong order | Make sure the server certificate (which validates your own subdomain) is listed before the intermediate and root certificates in the [PEM-formatted chain](#pem-format-certificate-chain) |
+| Too many private keys | Make sure the [PEM-formatted chain](#pem-format-certificate-chain) includes only one corresponding private key |
+| Self-signed certificates not allowed | Create and upload a certificate issued by a recognized [certificate authority](#how-to-get-a-certificate). If you receive this error but believe your certificate is legitimately signed by an official CA, [open a support ticket](https://console.scaleway.com/support/tickets) to tell us. |
+| Invalid intermediate or root certificate authority | Make sure each **Issuer** field matches the **Subject** of the next certificate in the [PEM-formatted chain](#pem-format-certificate-chain).|
+| Incorrect root certificate | Make sure your server certificate chains up to the provided root(s) certificate(s) in the [PEM-formatted chain](#pem-format-certificate-chain). |
+| Private key and certificate mismatch | Make sure the private key in the [PEM-formatted chain](#pem-format-certificate-chain) matches the server certificate. |
+| Subdomain and server certificate mismatch | Make sure the subdomain you configured for Edge Services matches that of the server certificate. |
+| Certificate expired | [Create a new certificate](#keeping-your-certificate-up-to-date) and import it. |
+
+If any of these errors are detected while you are initially configuring your subdomain, you will be blocked from continuing until the error is fixed.
+
+However, these errors may also be detected and displayed on your Edge Services dashboard even after you have initially successfully configured your subdomain and certificate. This could be the case, for example, if your certificate has since expired, you have modified your subdomain without modifying the certificate, or you have modified the certificate in Secret Manager. In this case, your initial certificate will remain in use by Edge Services until the error is fixed, but clients may see an error in their browser as they try to access your customized domain.
+
+To fix the problem, you must generate a valid certificate, and then do one of the following:
+
+- [Use Edge Services to import a new certificate directly](/network/edge-services/how-to/configure-custom-domain/#how-to-edit-your-customized-domain-or-its-certificate)
+- [Create a new secret](/identity-and-access-management/secret-manager/how-to/create-secret/) to hold the certificate in Secret Manager, and [edit your customized endpoint with Edge services](/network/edge-services/how-to/configure-custom-domain/#how-to-edit-your-customized-domain-or-its-certificate) to tell it to use this secret
+- [Create a new version](/identity-and-access-management/secret-manager/how-to/create-version/) of the existing secret holding your expired certificate, where the new version contains a valid certificate. If Edge Services is already using this secret, it will automatically detect and use the new version - it always uses the most recent enabled version of a secret.
+
+#### Secret not visible for selection in Edge Services
+
+You may find that a certificate you have stored in Secret Manager is not available for selection from Edge Services. This is probably because the secret does not have the "certificate" type, which is necessary for it to be visible to Edge Services. The "type" of a secret can be defined when creating a secret via the [API](https://www.scaleway.com/en/developers/api/secret-manager/#path-secrets-create-a-secret), but not via the console. For that reason, if you prefer to use the console to create your certificates, we suggest manually importing the certificate via Edge Services rather than via Secret Manager. This way, it will automatically inherit the "certificate" type.
\ No newline at end of file
diff --git a/storage/object/reference-content/cname-record.mdx b/storage/object/reference-content/cname-record.mdx
index 2ce6c9a983..b752cb1013 100644
--- a/storage/object/reference-content/cname-record.mdx
+++ b/storage/object/reference-content/cname-record.mdx
@@ -1,93 +1,15 @@
---
meta:
- title: CNAME records and DNS for Object Storage with Edge Services
- description: Set up CNAME records for efficient routing to Scaleway Object Storage.
+ title: CNAME records and DNS for Edge Services
+ description: Learn how to set up and manage CNAME records for Scaleway Edge Services pipelines. Follow our detailed guide to configure your custom domain and enhance your cloud accessibility.
content:
- h1: CNAME records and DNS for Object Storage with Edge Services
- paragraph: Set up CNAME records for efficient routing to Scaleway Object Storage.
-tags: object-storage edge-services cname dns
+ h1: CNAME records and DNS for Edge Services
+ paragraph: Learn how to set up and manage CNAME records for Scaleway Edge Services pipelines. Follow our detailed guide to configure your custom domain and enhance your cloud accessibility.
+tags: edge-services pipeline cname dns
dates:
- validation: 2024-05-06
+ validation: 2024-07-25
categories:
- - storage
+ - network
---
-This document contains information to help you successfully create a CNAME record for your customized [Edge Services](/storage/object/how-to/get-started-edge-services) domain, and troubleshoot any potential DNS problems.
-
-## What is a CNAME record?
-
-A **C**anonical **Name** (CNAME) record is a type of [DNS record](/network/domains-and-dns/concepts/#dns-record). Generally, DNS records hold information for translating a domain or subdomain to an IP address, mail server or other domain/subdomain. They are crucial in directing internet traffic to the correct servers. More specifically, CNAME records map one domain name (an alias) to another (the canonical name).
-
-A CNAME record may look like the following:
-
-| Hostname / Alias | Destination / Canonical Name |
-|----------------------------|-------------------------------|
-| `videos.example.com` | `otherdomain.com` |
-
-In this case, when a DNS server sees this record for `videos.example.com` it will know not to direct traffic to `videos.example.com`'s own IP address, but to that of `otherdomain.com`. It will find `othercomain.com`'s IP address via its [A record](/network/domains-and-dns/reference-content/understanding-dns-records/#a-record).
-
-When the client actually connects to `otherdomain.com`'s IP address, the web server can see that the requested URL was `videos.example.com`, and deliver the relevant content.
-
-## When and why do I need to create a CNAME record for Edge Services?
-
-When you enable Edge Services, initially your bucket content is served through the standard Edge Services endpoint, e.g. `bucket-name.svc.edge.scw.cloud`. If you do not want to customize the standard Edge Services endpoint, you do not need to worry about CNAME records.
-
-However, if you choose to [customize your Edge Services endpoint with your own subdomain](/storage/object/how-to/get-started-edge-services/#how-to-configure-a-custom-domain), a CNAME record must be created to point your subdomain to the Edge Services endpoint for your bucket.
-
- - If your domain is managed with [Scaleway Domains and DNS](/network/domains-and-dns/quickstart/), we take care of auto-generating the appropriate CNAME record for you, as well as deleting it if and when you deactivate Edge Services. There is no action for you to take. You should not attempt to modify or delete the CNAME record (which will be visible among your Domains and DNS records in the console).
- - If your domain is managed by an external provider, Scaleway is unable to create the appropriate CNAME record for you. You will be prompted, as part of the process for customizing your Edge Services domain, to create this record yourself with your domain provider.
-
-
-
-## How to create a CNAME record
-
-Log into your domain provider, and locate the DNS settings for your domain. Create a new CNAME record pointing your subdomain to the Edge Services endpoint for your bucket. This endpoint can be retrieved from the Scaleway console.
-
-The interface used by different domain providers varies, but creating your CNAME record may look like one of the following examples:
-
-| Record | Destination |
-|--------------------------------------------|------------------------------------------|
-| `my-chosen-subdomain.beautiful-domain.com` | `bucket-name.svc.edge.scw.cloud.` |
-
-| Subdomain | Target host |
-|--------------------------------------------|------------------------------------------------|
-| `my-chosen-subdomain` | `bucket-name.svc.edge.scw.cloud.` |
-
-| Host record | Points to |
-|--------------------------------------------|------------------------------------------------|
-| `my-chosen-subdomain` | `bucket-name.svc.edge.scw.cloud.` |
-
-| `my-chosen-subdomain` | Record Type | Value |
-|--------------------------------------------|-----------------|------------------------------------------------|
-| `@` | `CNAME` | is an alias of `bucket-name.svc.edge.scw.cloud.`|
-
-
-The trailing dot at the end of the target endpoint (`bucket-name.svc.edge.scw.cloud.`) is implicitly added by some domain and DNS providers, and must be explicitly added for others. Check with yours whether the dot is necessary.
-
-
-You may also see a `TTL` field, which stands for **T**ime **T**o **L**ive. This tells the DNS resolver how long it can cache this record, before it must re-check the original source in case something has changed. TTL is measured in seconds, and the default value is usually 12 hours (43200 seconds) or 24 hours (86400 seconds).
-
- ## Troubleshooting DNS and subdomain errors
-
-When setting up your customized subdomain with Edge Services, you have the option to carry out a verification check on the CNAME record (if your domain is managed with an external provider). Edge Services will query the subdomain and check that it resolves correctly to the Edge Services endpoint. If there is a problem, you will see an error message:
-
-
-
-An error message may also display at a later point from your Edge Services dashboard if a problem is detected at any point with your CNAME record or subdomain:
-
-
-
-See the table below for help with troubleshooting these errors:
-
-| Error message | Solution |
-|-------------------------------------------|---------------------------------------------------------------------|
-| No CNAME record found | Make sure you have created a valid DNS record of type **CNAME** (not **A**, **AAAA** or another type), where your subdomain points to the Edge Services endpoint. |
-| Incorrect CNAME | Make sure your CNAME record points to the Edge Services endpoint in the format `bucket-name.svc.edge.scw.cloud.`, and that you have replaced `bucket-name` with the name of your bucket. |
-| Domain does not exist | You must own the domain name you are attempting to configure. If you do not already own the domain name, you cannot create a subdomain or CNAME record for it. Register the domain name, for example using our [Domains and DNS](/network/domains-and-dns/how-to/register-internal-domain/) product, then create a CNAME record for the subdomain. Otherwise, ensure you did not make a typo when entering the domain name into the Scaleway console. |
-| scw.cloud is forbidden | You cannot use subdomains of the `scw.cloud` domain, as the domain is owned and managed by Scaleway and you cannot create DNS records for it. Use your own domain and subdomain. |
-| Invalid Top Level Domain | Make sure the Top-Level Domain (e.g. `.com`, `.fr`) you entered is correct. |
-| Root domain not allowed | You cannot use a root domain alone to customize Edge Services (e.g. `example.com`. Make sure you use a subdomain (e.g. `blog.example.com`)) | |
-| Subdomain must be a correctly-formatted, fully-qualified sub domain name | Make sure the subdomain name you entered is [correctly formatted](https://en.wikipedia.org/wiki/Domain_name#Domain_name_syntax), e.g. `foo.example.fr`. |
-| Record already exists for this FQDN in your DNS zone | Choose a different subdomain, or delete the existing DNS record. |
-
-Note that if your domain is managed by Scaleway Domains and DNS and you therefore have an auto-created CNAME record, you should **not** attempt to delete it or modify it in any way. Scaleway will take care of deleting the CNAME record if and when you deactivate Edge Services.
+This document has moved to the new [dedicated Edge Services section](/network/edge-services/reference-content/cname-record/).
\ No newline at end of file
diff --git a/storage/object/reference-content/ssl-tls-certificate.mdx b/storage/object/reference-content/ssl-tls-certificate.mdx
index 7fe8a26d63..7c862f51f2 100644
--- a/storage/object/reference-content/ssl-tls-certificate.mdx
+++ b/storage/object/reference-content/ssl-tls-certificate.mdx
@@ -1,227 +1,15 @@
---
meta:
- title: SSL/TLS Certificates for Object Storage with Edge Services
- description: Implement SSL/TLS certificates with Scaleway Object Storage for secure access.
+ title: SSL/TLS Certificates for Edge Services
+ description: Discover how to configure SSL/TLS certificates for Scaleway Edge Services pipelines. Follow our comprehensive guide to secure your custom domains and ensure data protection.
content:
- h1: SSL/TLS Certificates for Object Storage with Edge Services
- paragraph: Implement SSL/TLS certificates with Scaleway Object Storage for secure access.
-tags: object-storage edge-services ssl-tls certificate ssl tls pem certificate-authority root-certificate pem chain ca
+ h1: SSL/TLS Certificates for Edge Services
+ paragraph: Discover how to configure SSL/TLS certificates for Scaleway Edge Services pipelines. Follow our comprehensive guide to secure your custom domains and ensure data protection.
+tags: edge-services pipeline ssl-tls certificate ssl tls pem certificate-authority root-certificate pem chain ca
dates:
- validation: 2024-05-13
+ validation: 2024-07-25
categories:
- - storage
+ - network
---
-This document contains information to help you with SSL/TLS certificates that enable your bucket's content to be served over HTTPS, through your customized [Edge Services](/storage/object/how-to/get-started-edge-services) domain.
-
-## Introduction
-
-### What is an SSL/TLS certificate?
-
-An SSL/TLS certificate is a digital certificate that enables an encrypted connection between a client and a web server over HTTPS.
-
-You may hear certificates referred to as “SSL certificates”, “TLS certificates” or “SSL/TLS certificates”. These are all the same thing. SSL (Secured Socket Layer) was the protocol initially used for encryption, though it has now been replaced with TLS (Transport Layer Security).
-
-SSL/TLS certificates contain a **public key**, which corresponds to a separate **private key**. These work as a pair. When a client wants to establish an encrypted connection to a host, it requests the host's certificate. The host shares the certificate, which includes the public key (the private key is never shared and is kept by the host). The client checks the certificate, and uses the host's public key to encrypt the data that it transfers to the host. The host uses its private key to decrypt the data that has been encrypted by the public key.
-
-The private key is also used by the host for generating digital signatures, while the public key is used by clients for verifying those signatures.
-
-### When and why do I need an SSL/TLS certificate for Edge Services?
-
-When you enable Edge Services, initially your bucket content is served through the standard Edge Services endpoint, e.g. `https://bucket-name.svc.edge.scw.cloud`. Scaleway's own SSL/TLS certificate, which covers this subdomain, is used to establish the encrypted connection between client and host. If you do not want to customize the standard Edge Services endpoint, you do not need to worry about creating SSL/TLS certificates.
-
-However, if you choose to [customize your Edge Services endpoint with your own subdomain](/storage/object/how-to/get-started-edge-services/#how-to-configure-a-custom-domain), Scaleway's own SSL/TLS certificate cannot longer be used to establish encrypted connections to your subdomain. Client connections are now initially going to a different domain which needs to be "guaranteed" by its own certificate (despite the CNAME record for the subdomain pointing to the Scaleway endpoint).
-
-Therefore, when you customize your Edge Services endpoint with a subdomain, you are prompted to generate or upload an SSL/TLS certificate for that subdomain.
-
-## How can I provide an SSL/TLS certificate for my Edge Services customized domain?
-
-You will be prompted to choose one of the following options when [customizing your domain](/storage/object/how-to/get-started-edge-services/#how-to-configure-a-custom-domain):
-
-- **Generate a Let's Encrypt certificate**: Scaleway generates a free, managed Let's Encrypt certificate for your domain and automatically renews it as necessary.
-
-- **Select an existing certificate from Secret Manager**: You select a certificate that you have already uploaded in [Scaleway Secret Manager](/identity-and-access-management/secret-manager/quickstart/).
-
-- **Manually import a certificate into Secret Manager**: You can manually create your own certificate and import it. It will be stored in Scaleway Secret Manager (check the [dedicated pricing page](https://www.scaleway.com/en/pricing/?tags=securityandidentity)).
-
-## Generating a managed Let's Encrypt certificate
-
-This is the hassle-free option if you do not want to create or manage your own SSL/TLS certificate. Scaleway takes care of generating a certificate for your customized domain in the correct format. The certificate is automatically renewed before it expires. This option is available for free: it costs you nothing for Scaleway to generate and manage a Let's Encrypt certificate for your domain.
-
-You must ensure that you have correctly set the [CNAME record](/storage/object/reference-content/cname-record/) for your domain. Without having done this, the Let's Encrypt certificate option in the console will not be available. It is also important to check the CNAME is correctly set up so that the certificate is properly generated and reviewed.
-
-Note that you will not have access to the generated certificate itself in Secret Manager or elsewhere. It is entirely generated and managed "behind the scenes", and is not configurable by the user. If you reset your domain, or disable Edge Services, Scaleway automatically deletes the generated Let's Encrypt certificate.
-
-### Troubleshooting
-
-#### Errors
-
-If there is a problem generating your managed Let's Encrypt certificate, an error will be displayed. See the table below for help resolving these errors.
-
-| Error | Solution |
-| ------------------------------------------------------------------------|---------------------------------------------------------------------|
-| Too many certificates already issued for this domain | Wait, before retrying. This error occurs when you hit the limit of generating 50 Let's Encrypt certificates in a rolling 7 day period for the same domain. |
-| Internal managed certificate error | [Open a support ticket](https://console.scaleway.com/support/tickets/create). There has been an unspecified error in generating a managed Let's Encrypt certificate for your subdomain. |
-| Certificate cannot be renewed - Your CNAME record is no longer accurate | Your CNAME record has either been deleted or modified. Without a correct CNAME record, we cannot renew your managed Let's Encrypt certificate. [Rectify your CNAME record](/storage/object/reference-content/cname-record/#how-to-create-a-cname-record), and when Edge Services detects the correct record exists, your certificate will be automatically renewed. |
-
-## Using your own certificate
-
-If you wish to use your own certificate, rather than the option of generating a managed Let's Encrypt certificate, take into account the following points.
-
-### Accepted certificate types
-
-Types of validation:
-
-- ❌ **Self-signed certificates**. Certificates for Edge Services must be signed by a Certificate Authority (CA)
-- ✅ **Domain Validated Certificate**. The CA simply checks that the applicant owns the domain.
-- ✅ **Extended/Organization Validation Certificate**. The applicant must pass more in-depth validation procedures and checks by the CA.
-
-Types of domain coverage:
-
-- ✅ **Single domain certificate**. Secures a single domain or subdomain. Note that the certificate must be for `your-sub.domain.com`, where the subdomain corresponds to the [subdomain for Edge Services](/storage/object/how-to/get-started-edge-services/#how-to-configure-a-custom-domain). A single domain certificate simply for `yourdomain.com` would not be acceptable, as it would not cover the subdomain for Edge Services.
-- ✅ **Wildcard certificate**. Secures multiple subdomains for a domain, using a wildcard `*` symbol. The **Common Name** of the certificate should look like `*.yourdomain.com`.
-- ✅ **Multi-domain (MD) / Subject Alternative Name (SAN) / Unified Communications Certificate (UCC) certificate**. Secures multiple explicitly-defined fully qualified domain names (`www.yourfirstdomain.com`, `sub.yourfirstdomain.com`, `yourfirstdomain.com`, `yourseconddomain.com`, `sub.yourseconddomain.com` etc.)
-
-### PEM format certificate chain
-
-Edge Services requires that you import your certificate as a PEM-formatted certificate chain, which includes the private key. PEM format is Base64 encoded ASCII, and by definition includes lines stating `-----BEGIN x-----` and `-----END x-----`.
-
-Your PEM formatted certificate chain should look like this:
-
-```
------BEGIN PRIVATE KEY-----
-(private key here)
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-(primary certificate (aka server certificate) here)
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-(intermediate certificate here)
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-(root certificate here)
------END CERTIFICATE-----
-```
-
-| Section | Contains | Subject (issued for) | Issued and signed by |
-|--------------------------|------------------------------------------------------------------|------------------------|----------------------|
-| Private key | The private key file for the certificate | | |
-| Primary/server certificate | The certificate issued by the CA for your domain name | Your name and public key | CA |
-| Intermediate certificate | The intermediate certificate chaining your primary certificate to the root certificate | CA's name and public key. | Root CA |
-| Root certificate | The root certificate by the CA, for the trusted CA itself | The Root CA's name and public key | Root CA (self signed) |
-
-Note that in certain cases an intermediate certificate may not be necessary, if the root certificate chains directly to the primary/server certificate. The crucial thing is that the subject and issuers of each certificate form a coherent chain of validation. If a certificate is issued by an authority that is not present in the chain, an error will occur.
-
-
-
-You can use the [OpenSSL](https://www.openssl.org/) utility to convert certificates and keys from other formats to PEM, from the command line. Once installed, use a command like the following:
-
-```sh
-openssl x509 -in cert.crt -out cert.pem
-```
-
-```sh
-openssl x509 -in cert.der -out cert.pem
-```
-
-```sh
-openssl x509 -in cert.cer -out cert.pem
-```
-
-When you have your key, your server certificate and your root certificate all in separate files, you can use the `cat` command to chain them together into one file, ready to be copied and pasted:
-
-```sh
-cat private_key.pem cert.pem root_cert.pem > cert_chain.pem
-```
-
-
-
-### Tips for creating a certificate
-
-In general, SSL/TLS certificates can either be **self-signed** (signed by the subject of the certificate, e.g. the owner of the domain) or **CA-signed** (signed by a third party **C**ertificate **A**uthority which is publicly trusted).
-
-**Self-signed certificates cannot be used with Edge Services, all certificates must be signed by a CA that is known and trusted by Edge Services.**
-
-To get an SSL/TLS certificate for your domain or subdomain, you need to generate a Certificate Signing Request (CSR) and submit it to a Certificate Authority (CA) for them to validate your domain, who then send you a signed certificate. You may be able to carry out this procedure via your hosting provider, or from the command line.
-
-CAs of private companies whose primary business is not SSL or domains may not be trusted by Edge Services. If you encounter a self-signed certificate error with Edge Services, but you believe your certificate is legitimately signed by an official CA, [open a support ticket](https://console.scaleway.com/support/tickets) to tell us.
-
-
-
-To get a working Let's Encrypt certificate using certbot on the command line, follow the steps below:
-
-1. Install [certbot](https://certbot.eff.org/) on your machine.
-2. Open a terminal and run the following command, inserting your subdomain where shown:
- ```bash
- sudo certbot certonly --manual --preferred-challenges dns -d
- ```
- The command returns a token and asks you to create a TXT record in your DNS.
-3. Go to your domain/DNS provider and create a TXT record. The record name should be `_acme-challenge.your-subdomain.your-domain.ext` and the record must contain the token provided by certbot. Make sure the record has a short TTL in case you have to modify it for debugging purposes.
-4. Return to the terminal and press `Enter` once your record is ready.
- Certbot starts the verification process. If it succeeds, the certificate is downloaded to your machine in two files: the private key and the certificate.
-5. Concatenate the two files into one, using the following command:
- ```bash
- cat privkey.pem fullchain.pem > certificate.pem
- ```
-6. Delete the TXT record from your DNS.
-
-
-
-### Uploading your certificate
-
-When you [configure your customized domain](/storage/object/how-to/get-started-edge-services/#how-to-configure-a-custom-domain) with Edge Services for the first time, you are prompted to upload your certificate. You can do so in two ways:
-
- - Select an existing certificate that you have stored in a secret in [Scaleway Secret Manager](/identity-and-access-management/secret-manager/quickstart/). The secret must be of the **certificate** type in order to be visible to Edge Services. The type can be defined when creating a secret via the [API](https://www.scaleway.com/en/developers/api/secret-manager/#path-secrets-create-a-secret), but not via the console. For that reason, if you prefer to use the console to create your certificates, we suggest using the next option:
- - Manually import a certificate into Scaleway Secret Manager, directly from the Edge Services **Configure domain** wizard (copy and paste the PEM formatted chain). Your certificate will be automatically stored in Secret Manager, held in a secret that automatically inherits the type "certificate".
-
-### Keeping your certificate up to date
-
-SSL/TLS certificates all expire at some point. If your certificate expires before you upload a new one, you will see an error like this on your Edge Services dashboard:
-
-
-
-You must renew your certificate or create a new one. A number of tools are available to ensure that certificates are automatically renewed before expiry, for example [Certbot for LetsEncrypt](https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates). However, since Certbot or other tools for automatically renewing certificates are not currently integrated into Edge Services, you will need to manually update the certificate via the Scaleway console.
-
-When you have your up to date certificate, go to [Secret Manager](https://console.scaleway.com/secret-manager/secrets) in the console, and access the secret that contains your certificate. [Create a new version](/identity-and-access-management/secret-manager/how-to/create-version/) of the secret, to hold the up to date certificate. Edge Services will automatically detect and use the most recent enabled version of the secret. You can nonetheless choose to disable or delete the old version(s) as you prefer, which will also save your billing costs (since you are billed per version).
-
-
-
-If you change your customized subdomain to something new, you will need to generate and import a new certificate for that subdomain. In this case, it is recommended to create a new [secret](/identity-and-access-management/secret-manager/concepts/#secret) to hold the new certificate, rather than creating a new version of an existing secret.
-
-
-
-### Troubleshooting
-
-#### Errors
-
-If Edge Services detects a problem with your certificate, an error will be displayed. See the table below for help resolving these errors.
-
-| Error | Solution |
-|-------------------------------------------------------------------------|---------------------------------------------------------------------|
-| Certificate format | Make sure your certificate is in [PEM format](#pem-format-certificate-chain). |
-| Certificate private key format | Make sure your private key is in [PEM format](#pem-format-certificate-chain).|
-| Missing server certificate | Make sure the server certificate (which validates your own subdomain) is included in the [PEM-formatted chain](#pem-format-certificate-chain).|
-| Missing private key | Make sure your private key is included in the [PEM-formatted chain](#pem-format-certificate-chain).|
-| Missing root certificate | Make sure a valid root certificate is included in the [PEM-formatted chain](#pem-format-certificate-chain). |
-| Wrong order | Make sure the server certificate (which validates your own subdomain) is listed before the intermediate and root certificates in the [PEM-formatted chain](#pem-format-certificate-chain) |
-| Too many private keys | Make sure the [PEM-formatted chain](#pem-format-certificate-chain) includes only one corresponding private key |
-| Self-signed certificates not allowed | Create and upload a certificate issued by a recognized [certificate authority](#how-to-get-a-certificate). If you receive this error but believe your certificate is legitimately signed by an official CA, [open a support ticket](https://console.scaleway.com/support/tickets) to tell us. |
-| Invalid intermediate or root certificate authority | Make sure each **Issuer** field matches the **Subject** of the next certificate in the [PEM-formatted chain](#pem-format-certificate-chain).|
-| Incorrect root certificate | Make sure your server certificate chains up to the provided root(s) certificate(s) in the [PEM-formatted chain](#pem-format-certificate-chain). |
-| Private key and certificate mismatch | Make sure the private key in the [PEM-formatted chain](#pem-format-certificate-chain) matches the server certificate. |
-| Subdomain and server certificate mismatch | Make sure the subdomain you configured for Edge Services matches that of the server certificate. |
-| Certificate expired | [Create a new certificate](#keeping-your-certificate-up-to-date) and import it. |
-
-If any of these errors are detected while you are initially configuring your subdomain, you will be blocked from continuing until the error is fixed.
-
-However, these errors may also be detected and displayed on your Edge Services dashboard even after you have initially successfully configured your subdomain and certificate. This could be the case, for example, if your certificate has since expired, or you have modified your subdomain without modifying the certificate, or you have modified the certificate in Secret Manager. In this case, your initial certificate will remain in use by Edge Services until the error is fixed, but clients may see an error in their browser as they try to access your customized domain.
-
-To fix the problem, you must generate a valid certificate, and then do one of the following:
-
-- [Use Edge Services to import a new certificate directly](/storage/object/how-to/get-started-edge-services/#how-to-edit-your-customized-domain-or-its-certificate)
-- [Create a new secret](/identity-and-access-management/secret-manager/how-to/create-secret/) to hold the certificate in Secret Manager, and [edit your customized endpoint with Edge services](/storage/object/how-to/get-started-edge-services/#how-to-edit-your-customized-domain-or-its-certificate) to tell it to use this secret
-- [Create a new version](/identity-and-access-management/secret-manager/how-to/create-version/) of the existing secret holding your expired certificate, where the new version contains a valid certificate. If Edge Services is already using this secret, it will automatically detect and use the new version - it always uses the most recent enabled version of a secret.
-
-#### Secret not visible for selection in Edge Services
-
-You may find that a certificate you have stored in Secret Manager is not available for selection from Edge Services. This is probably because the secret does not have the "certificate" type, which is necessary for it to be visible to Edge Services. The "type" of a secret can be defined when creating a secret via the [API](https://www.scaleway.com/en/developers/api/secret-manager/#path-secrets-create-a-secret), but not via the console. For that reason, if you prefer to use the console to create your certificates, we suggest manually importing the certificate via Edge Services rather than via Secret Manager. This way, it will automatically inherit the "certificate" type.
\ No newline at end of file
+This document has moved to the new [dedicated Edge Services section](/network/edge-services/reference-content/ssl-tls-certificate/).
\ No newline at end of file