[SSL] Update origin-ca and adjust content for SEO (#19315)

* Use 'Cloudflare origin CA' more consistently and callout proxied traffic

* Create origin-ca folder and add placeholder page for ts

* Create partial for pause CF error

* Add NET::ERR_CERT_AUTHORITY_INVALID and solutions

* Add origin server errors and list necessary root CA files

* Fix missing period

Co-authored-by: Pedro Sousa <[email protected]>

* Reword troubleshooting steps for proxying on and off

---------

Co-authored-by: Pedro Sousa <[email protected]>

src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx

@@ -35,7 +35,7 @@ You should use Delegated DCV when all of the following conditions are true:
 
 :::note[Delegated DCV and origin certificates]
 
-As explained in the [announcement blog post](https://blog.cloudflare.com/introducing-dcv-delegation/), currently, you can only delegate DCV to one provider at a time. If you also issue publicly trusted certificates for the same hostname for your [origin server](/ssl/concepts/#origin-certificate), this will no longer be possible. You can use [Cloudflare Origin CA certificates](/ssl/origin-configuration/origin-ca/) instead.
+As explained in the [announcement blog post](https://blog.cloudflare.com/introducing-dcv-delegation/), currently, you can only delegate DCV to one provider at a time. If you also issue publicly trusted certificates for the same hostname for your [origin server](/ssl/concepts/#origin-certificate), this will no longer be possible. You can use [Cloudflare origin CA certificates](/ssl/origin-configuration/origin-ca/) instead.
 :::
 
 ## Setup

src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx

@@ -28,7 +28,7 @@ If you need a different AOP certificate to apply to different custom hostnames,
 
 First, upload a certificate to your origin.
 
-To use a Cloudflare certificate (which uses a specific CA), [download the .PEM file](/ssl/static/authenticated_origin_pull_ca.pem) and upload it to your origin. This certificate is **not** the same as the Cloudflare Origin CA certificate and will not appear on your Dashboard.
+To use a Cloudflare certificate (which uses a specific CA), [download the .PEM file](/ssl/static/authenticated_origin_pull_ca.pem) and upload it to your origin. This certificate is **not** the same as the [Cloudflare origin CA certificate](/ssl/origin-configuration/origin-ca/) and will not appear on your Dashboard.
 
 To use a custom certificate, follow the API instructions to [upload a custom certificate to Cloudflare](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate), but use the [`origin_tls_client_auth` endpoint](/api/resources/origin_tls_client_auth/methods/create/). Then, upload the certificate to your origin.
 

src/content/docs/ssl/origin-configuration/origin-ca.mdx → src/content/docs/ssl/origin-configuration/origin-ca/index.mdx

@@ -1,24 +1,23 @@
 ---
-title: Origin CA certificates
+title: Cloudflare origin CA
 pcx_content_type: how-to
 sidebar:
   order: 3
+  label: Setup
 head: []
-description: Origin Certificate Authority (CA) certificates allow you to encrypt
-  traffic between Cloudflare and your origin web server, and reduce origin
-  bandwidth consumption.
+description: Encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption.
 
 ---
 
-import { FeatureTable } from "~/components"
+import { FeatureTable, GlossaryTooltip, Render } from "~/components"
 
-Use Origin Certificate Authority (CA) certificates to encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. Once deployed, these certificates are compatible with [Strict SSL mode](/ssl/origin-configuration/ssl-modes/full-strict/).
+If your origin only receives traffic from <GlossaryTooltip term="proxy status">proxied records</GlossaryTooltip>, use Cloudflare origin CA certificates to encrypt traffic between Cloudflare and your origin web server and reduce bandwidth consumption. Once deployed, these certificates are compatible with [Strict SSL mode](/ssl/origin-configuration/ssl-modes/full-strict/).
 
-For more background information on Origin CA certificates, refer to the [introductory blog post](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/).
+For more background information on origin CA certificates, refer to the [introductory blog post](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/).
 
 :::note
 
-Using Cloudflare Origin CA certificates do not prevent you from using [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
+Using Cloudflare origin CA certificates does not prevent you from using [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
 :::
 
 ## Availability
@@ -89,6 +88,10 @@ If all your origin hosts are protected by Origin CA certificates or publicly tru
 
 If you have origin hosts that are not protected by certificates, set the **SSL/TLS encryption** mode for a specific application to **Full (strict)** by using a [Page Rule](/rules/page-rules/).
 
+:::caution
+<Render file="origin-ca-pause-error" />
+:::
+
 ## Revoke an Origin CA certificate
 
 If you misplace your key material or do not want a certificate to be trusted, you may want to revoke your certificate. You cannot undo this process.
@@ -114,7 +117,7 @@ Some origin web servers require upload of the Cloudflare Origin CA root certific
 
 ### Hostname and wildcard coverage
 
-Certificates may be generated with up to 200 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (`www.example.com`) or a wildcard (`*.example.com`). You cannot use IP addresses as SANs on Cloudflare Origin CA certificates.
+Certificates may be generated with up to 200 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (`www.example.com`) or a wildcard (`*.example.com`). You cannot use IP addresses as SANs on Cloudflare origin CA certificates.
 
 Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (for example, `*.example.com` and `*.secure.example.com` may co-exist).
 
@@ -131,4 +134,4 @@ To automate processes involving Origin CA certificates, use the following API ca
 
 ## Troubleshooting
 
-Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.
+If you find `NET::ERR_CERT_AUTHORITY_INVALID` or other issues after setting up Cloudflare origin CA, refer to [troubleshooting](/ssl/origin-configuration/origin-ca/troubleshooting/).

src/content/docs/ssl/origin-configuration/origin-ca/troubleshooting.mdx

@@ -0,0 +1,45 @@
+---
+title: Troubleshooting Cloudflare origin CA
+pcx_content_type: troubleshooting
+description: Troubleshoot issues like NET::ERR_CERT_AUTHORITY_INVALID when using Cloudflare origin CA.
+sidebar:
+  order: 2
+  label: Troubleshooting
+---
+
+import { GlossaryTooltip, Render } from "~/components";
+
+Consider the following common issues and troubleshooting steps when using [Cloudflare origin CA](/ssl/origin-configuration/origin-ca/).
+
+## NET::ERR_CERT_AUTHORITY_INVALID
+
+### Cause
+<Render file="origin-ca-pause-error" />
+
+This also means that SSL Labs or similar SSL validators are expected to flag the certificate as invalid.
+
+### Solutions
+
+- Make sure the [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/) of your DNS records and any [page rules](/rules/page-rules/) (if existing) are set up correctly. If so, you can try to turn proxying off and then on again and wait a few minutes.
+- If you must have direct connections between clients and your origin server, consider installing a publicly trusted certificate at your origin instead. This process is done outside of Cloudflare, where you should issue the certificate directly from a <GlossaryTooltip term="Certificate Authority (CA)">certificate authority (CA)</GlossaryTooltip> of your choice. You can still use Full (strict) [encryption mode](/ssl/origin-configuration/ssl-modes/), as long as the CA is listed on the [Cloudflare trust store](https://github.com/cloudflare/cfssl_trust).
+
+## The issuer of this certificate could not be found
+
+### Cause
+Some origin web servers require that you upload the Cloudflare origin CA root certificate or certificate chain.
+
+### Solution
+Use the following links to download either an ECC or an RSA version and upload to your origin web server:
+
+* [Cloudflare Origin ECC PEM](/ssl/static/origin_ca_ecc_root.pem) (do not use with Apache cPanel)
+* [Cloudflare Origin RSA PEM](/ssl/static/origin_ca_rsa_root.pem)
+
+## The certificate is not trusted in all web browsers
+
+### Cause
+Apache cPanel requires that you upload the Cloudflare origin CA root certificate or certificate chain.
+
+### Solution
+Use the following link to download an RSA version of the root certificate and upload it to your origin web server:
+
+* [Cloudflare Origin RSA PEM](/ssl/static/origin_ca_rsa_root.pem)

src/content/partials/ssl/origin-ca-pause-error.mdx

@@ -0,0 +1,8 @@
+---
+{}
+
+---
+
+import { GlossaryTooltip } from "~/components";
+
+Site visitors may see untrusted certificate errors if you [pause Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/) or <GlossaryTooltip term="proxy status">disable proxying</GlossaryTooltip> on subdomains that use Cloudflare origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.