ctdsf
diff --git a/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx‎
Lines changed: 1 addition & 14 deletions b/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx‎
Lines changed: 1 addition & 14 deletions
diff --git a/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/explanation.mdx‎
Lines changed: 5 additions & 8 deletions b/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/explanation.mdx‎
Lines changed: 5 additions & 8 deletions
diff --git a/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx‎
Lines changed: 19 additions & 11 deletions b/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx‎
Lines changed: 19 additions & 11 deletions
diff --git a/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/global.mdx‎
Lines changed: 61 additions & 0 deletions b/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/global.mdx‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates.mdx‎
Lines changed: 12 additions & 13 deletions b/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates.mdx‎
Lines changed: 12 additions & 13 deletions
diff --git a/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx‎
Lines changed: 55 additions & 7 deletions b/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx‎
Lines changed: 55 additions & 7 deletions
diff --git a/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback.mdx‎
Lines changed: 1 addition & 1 deletion b/‎src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback.mdx‎
Lines changed: 1 addition & 1 deletion
@@ -62,7 +62,7 @@ curl --verbose https://<your-application-load-balancer>
 
 ## 3. Configure Cloudflare
 
-1. [Upload the certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) you created in [Step 1](#1-generate-a-custom-certificate) to Cloudflare. You should use the leaf certificate, not the root CA.
+1. [Upload the certificate](/api/resources/origin_tls_client_auth/subresources/hostname_certificates/methods/create/) you created in [Step 1](#1-generate-a-custom-certificate) to Cloudflare. You should use the leaf certificate, not the root CA.
 
 <Render file="aop-per-hostname-upload-cert" product="ssl" />
 
@@ -82,19 +82,6 @@ curl --verbose https://<your-application-load-balancer>
 	}}
 />
 
-3. [Enable the Authenticated Origin Pulls](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/#3-enable-authenticated-origin-pulls-globally) feature on your zone.
-
-<APIRequest
-	path="/zones/{zone_id}/settings/{setting_id}"
-	method="PATCH"
-	json={{
-		value: "on",
-	}}
-	parameters={{
-		setting_id: "tls_client_auth",
-	}}
-/>
-
 :::note
 
 Make sure your [encryption mode](/ssl/origin-configuration/ssl-modes/) is set to **Full** or higher. If you only want to adjust this setting for a specific hostname, use [Configuration Rules](/rules/configuration-rules/settings/#ssl).
 
@@ -6,7 +6,6 @@ sidebar:
 head:
   - tag: title
     content: How Authenticated Origin Pulls works
-
 ---
 
 ## Simple explanation
@@ -19,11 +18,9 @@ This block also applies for requests to [unproxied DNS records](/dns/proxy-statu
 
 :::caution
 
+The Cloudflare-provided certificate used by [global AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/global/) is not exclusive to your account. It only guarantees that a request is coming from the Cloudflare network.
 
-Note that the certificate Cloudflare provides for you to [set up Authenticated Origin Pulls](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) is not exclusive to your account, only guaranteeing that a request is coming from the Cloudflare network.
-
-For more strict security, you should set up Authenticated Origin Pulls with your own certificate and consider [other security measures for your origin](/fundamentals/security/protect-your-origin-server/).
-
+For stricter security, set up [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) or [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) AOP with your own certificate and consider [other security measures for your origin](/fundamentals/security/protect-your-origin-server/).
 
 :::
 
@@ -33,7 +30,7 @@ Cloudflare enforces authenticated origin pulls by adding an extra layer of TLS c
 
 For more details, refer to the [introductory blog post](https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/).
 
-***
+---
 
 ### Types of handshakes
 
@@ -60,7 +57,7 @@ This is true even if you have [**Full**](/ssl/origin-configuration/ssl-modes/ful
       D[External device] --Standard TLS Handshake ----> C
 ```
 
-<br/>
+<br />
 
 This lack of authentication means that - even if your origin is [protected behind Cloudflare](/fundamentals/concepts/how-cloudflare-works/) - attackers with your origin's IP address will still receive a response from your origin for HTTPS requests.
 
@@ -74,6 +71,6 @@ With Authenticated Origin Pulls, Cloudflare performs standard TLS handshakes bet
       D[External device] --Standard TLS Handshake -----x C
 ```
 
-<br/>
+<br />
 
 This additional layer of authentication ensures that any HTTPS requests outside of Cloudflare will not receive a response from your origin.
@@ -4,37 +4,45 @@ title: Authenticated Origin Pulls (mTLS)
 sidebar:
   order: 4
 head: []
-description: Authenticated Origin Pulls helps ensure requests to your origin
-  server come from the Cloudflare network.
-
+description: Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network.
 ---
 
-import { FeatureTable, Render } from "~/components"
+import { FeatureTable, Render } from "~/components";
 
 Authenticated Origin Pulls (AOP) helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of [Full](/ssl/origin-configuration/ssl-modes/full/) or [Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes.
 
+:::caution[Check your encryption mode]
+Authenticated Origin Pulls does not apply when your [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/) is set to **Off** or **Flexible**.
+:::
+
 This authentication becomes particularly important with the [Cloudflare Web Application Firewall (WAF)](/waf/). Together with the WAF, you can make sure that **all traffic** is evaluated before receiving a response from your origin server.
 
 ## Availability
 
 <FeatureTable id="ssl.authenticated_origin_pulls" />
 
-## Aspects to consider
+## Configuration levels
 
-Although Cloudflare provides you a certificate to easily [configure zone-level authenticated origin pulls](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/), this certificate is not exclusive to your account and only guarantees that a request is coming from the Cloudflare network. If you want more strict security, you should consider [additional security measures for your origin](/fundamentals/security/protect-your-origin-server/) and upload your own certificate when setting up Authenticated Origin Pulls.
+There are three independent AOP configurations. Each has its own certificate and enablement setting. All of them require that you also set up your origin server - refer to each of the specific guides to learn more.
 
-Using a custom certificate is possible with both [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls and is required if you need your domain to be [FIPS](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards) compliant.
+- [Global](/ssl/origin-configuration/authenticated-origin-pull/set-up/global/): Uses a Cloudflare-provided certificate that is shared across all Cloudflare accounts. Applies to all proxied traffic on the zone. This is the simplest setup but only guarantees that a request is coming from the Cloudflare network.
+
+- [Zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/): Uses a certificate that you upload. Applies to all proxied traffic on the zone. Provides stricter security because the certificate is exclusive to your account. Zone-level certificates take precedence over global certificates.
+
+- [Per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/): Uses a certificate that you upload, applied to specific hostnames. Per-hostname certificates take precedence over zone-level and global certificates for the specified hostname.
 
 :::note
 
 <Render file="aop-disablement-callout" product="ssl" />
 :::
 
-## Limitations
+## Aspects to consider
 
-Authenticated Origin Pulls does not apply when your [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/) is set to **Off** or **Flexible**.
+If you need to guarantee that requests come from your specific Cloudflare account (not just from the Cloudflare network), set up [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) or [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) AOP with your own certificate. You should also consider [additional security measures for your origin](/fundamentals/security/protect-your-origin-server/).
+
+Using a custom certificate is required if you need your domain to be [FIPS](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards) compliant.
 
 ## Related topics
 
-* [SSL/TLS Encryption Modes](/ssl/origin-configuration/ssl-modes/)
-* [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/)
+- [SSL/TLS Encryption Modes](/ssl/origin-configuration/ssl-modes/)
+- [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/)
@@ -0,0 +1,61 @@
+---
+pcx_content_type: how-to
+title: Global
+sidebar:
+  order: 1
+head:
+  - tag: title
+    content: Global authenticated origin pulls
+---
+
+import { Render, Tabs, TabItem, DashButton } from "~/components";
+
+When you enable global Authenticated Origin Pulls (AOP), Cloudflare uses a Cloudflare-provided client certificate for all proxied traffic to your zone. This certificate is shared across all Cloudflare accounts and guarantees that the request is coming from the Cloudflare network.
+
+Global, [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/), and [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) AOP are independent configurations. Enabling or disabling one does not affect the others.
+
+## Before you begin
+
+- Make sure your zone is using an [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/) of **Full** or higher.
+
+- Consider your security and certificate needs:
+
+   - The Cloudflare-provided certificate is not exclusive to your account. It only guarantees that a request is coming from the Cloudflare network. If you need stricter security, set up [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) or [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) AOP with your own certificate instead.
+
+   - Global AOP is applied to all proxied hostnames on your zone, including [custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) configured on a Cloudflare for SaaS zone. If you need a different AOP certificate for different custom hostnames, use [per-hostname AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/).
+
+## 1. Download the Cloudflare certificate
+
+[Download the Cloudflare authenticated origin pull certificate (.PEM)](/ssl/static/authenticated_origin_pull_ca.pem) and upload it to your origin server. This certificate is **not** the same as the [Cloudflare Origin CA certificate](/ssl/origin-configuration/origin-ca/).
+
+## 2. Configure origin to accept client certificates
+
+<Render
+	file="aop-configure-origin"
+	product="ssl"
+	params={{
+		one: "Rename the downloaded .PEM file and upload it to `/path/to/origin-pull-ca.pem` before applying the settings.",
+		two: " Rename the downloaded .PEM file and upload it to `/etc/nginx/certs/cloudflare.crt` before applying the settings.",
+	}}
+/>
+
+## 3. Enable global Authenticated Origin Pulls
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. Go to the **Origin Server** page.
+
+   <DashButton url="/?to=/:account/:zone/ssl-tls/origin" />
+
+2. Select the **Authenticated Origin Pulls** tab.
+3. In the **Global** section, switch the toggle to **On**.
+
+</TabItem> <TabItem label="API">
+
+To enable or disable global Authenticated Origin Pulls with the API, use the [Edit zone setting endpoint](/api/resources/zones/subresources/settings/methods/edit/) with `tls_client_auth` as the setting name in the URI path, and the `value` parameter set to your desired setting (`"on"` or `"off"`).
+
+</TabItem> </Tabs>
+
+## 4. Enforce validation check on your origin
+
+<Render file="aop-enforce-validation" product="ssl" />
@@ -2,16 +2,15 @@
 pcx_content_type: how-to
 title: Manage certificates
 sidebar:
-  order: 3
+  order: 4
 head:
   - tag: title
     content: Manage AOP certificates
-
 ---
 
 import { APIRequest } from "~/components";
 
-Refer to the following sections to learn how to manage certificates used with the different Authenticated Origin Pulls setups.
+Refer to the following sections to learn how to manage certificates used with [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) Authenticated Origin Pulls. [Global AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/global/) uses a Cloudflare-provided certificate and does not require certificate management.
 
 ---
 
@@ -25,13 +24,13 @@ Make sure you have [notifications](/notifications/notification-available/#ssltls
 
 ## Use specialized certificates
 
-To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates.
+To apply different client certificates simultaneously at the zone and hostname level, you can combine zone-level and per-hostname custom certificates.
 
-First, set up [zone-level pulls](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) using a certificate. Then, upload multiple, specialized certificates for [individual hostnames](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/). Since per-hostname certificates are more specific, they take precedence over zone certificates.
+First, set up [zone-level AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) using your certificate. Then, upload specialized certificates for [individual hostnames](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/). Per-hostname certificates take precedence over zone-level certificates for the specified hostname.
 
 ---
 
-## Replace a certificate without downtime
+## Replace a certificate without downtime via API
 
 :::caution[No automatic removal]
 Cloudflare does not delete client certificates upon expiration unless you send a delete request to the Cloudflare API for the relevant certificate ([Delete a zone-level certificate](/api/resources/origin_tls_client_auth/subresources/zone_certificates/methods/delete/) or [Delete a hostname-level certificate](/api/resources/origin_tls_client_auth/subresources/hostname_certificates/methods/delete/)).
@@ -47,13 +46,13 @@ Cloudflare does not delete client certificates upon expiration unless you send a
 	path="/zones/{zone_id}/origin_tls_client_auth/hostnames"
 	method="PUT"
 	json={{
-		"config": [
+		config: [
 			{
-				"enabled": true,
-				"hostname": "<HOSTNAME>",
-				"cert_id": "<CERT_ID>"
-			}
-		]
+				enabled: true,
+				hostname: "<HOSTNAME>",
+				cert_id: "<CERT_ID>",
+			},
+		],
 	}}
 />
 
@@ -69,4 +68,4 @@ If you keep both certificates, the API will state `active` for both but the most
 
 :::note
 If you keep both certificates, the API will state `active` for both but the most recently deployed certificate will be the one enabled and used.
-:::
+:::
@@ -2,15 +2,24 @@
 pcx_content_type: how-to
 title: Per-hostname
 sidebar:
-  order: 2
+  order: 3
 head:
   - tag: title
     content: Per-hostname authenticated origin pulls
 ---
 
-import { AvailableNotifications, Render, Details } from "~/components";
+import {
+	AvailableNotifications,
+	Render,
+	Details,
+	Tabs,
+	TabItem,
+	DashButton,
+} from "~/components";
 
-When you enable Authenticated Origin Pulls per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. You can use client certificates from your Private PKI to authenticate connections from Cloudflare.
+When you enable per-hostname Authenticated Origin Pulls (AOP), all proxied traffic to the specified hostname is authenticated at the origin web server using a certificate that you upload. You can use client certificates from your Private PKI to authenticate connections from Cloudflare.
+
+[Global](/ssl/origin-configuration/authenticated-origin-pull/set-up/global/), [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/), and per-hostname AOP are independent configurations. Enabling or disabling one does not affect the others. Per-hostname certificates take precedence over zone-level and global certificates for the specified hostname.
 
 ## Before you begin
 
@@ -27,7 +36,25 @@ Refer to the steps below for an example of how to generate a custom certificate
 
 ## 1. Upload custom certificate
 
-Use the [Upload A Hostname Client Certificate](/api/resources/origin_tls_client_auth/subresources/hostname_certificates/methods/create/) endpoint to upload your custom certificate.
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. Go to the **Origin Server** page.
+
+   <DashButton url="/?to=/:account/:zone/ssl-tls/origin" />
+
+2. Select the **Authenticated Origin Pulls** tab.
+3. In the **Per-hostname** section, select **Upload certificate**.
+4. Paste the certificate and private key, then select **Continue**.
+   :::note
+   You must upload a [leaf certificate](/ssl/concepts/#chain-of-trust). If you upload a root CA instead, the upload will fail.
+   :::
+5. Review your certificate details, save the certificate ID for future reference, and select **Continue**.
+6. On the **Associate Hostnames** page, enter the fully qualified domain name that should use this certificate and select **Add** for each one. You can also skip this step and associate hostnames later.
+7. Select **Save** to confirm.
+
+</TabItem> <TabItem label="API">
+
+Use the [Upload a Hostname Client Certificate](/api/resources/origin_tls_client_auth/subresources/hostname_certificates/methods/create/) endpoint to upload your custom certificate.
 
 :::note
 
@@ -36,7 +63,9 @@ You must upload a [leaf certificate](/ssl/concepts/#chain-of-trust). If you uplo
 
 <Render file="aop-per-hostname-upload-cert" product="ssl" />
 
-In the API response, save the certificate `id` since it will be required in step 4.
+In the API response, save the certificate `id` since it will be required in step 3.
+
+</TabItem> </Tabs>
 
 ## 2. Configure origin to accept client certificates
 
@@ -48,10 +77,29 @@ In the API response, save the certificate `id` since it will be required in step
 
 ## 3. Enable Authenticated Origin Pulls for the hostname
 
-Use the Cloudflare API to send a [`PUT`](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) request to enable Authenticated Origin Pulls for specific hostnames.
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+:::note
+For per-hostname AOP, the enablement happens as you associate a hostname. If you had already associated hostnames as you uploaded the certificate, you can skip this step.
+:::
+
+1. Go to the **Origin Server** page.
+
+   <DashButton url="/?to=/:account/:zone/ssl-tls/origin" />
+
+2. Select the **Authenticated Origin Pulls** tab.
+3. In the **Per-hostname** section, find the certificate that should be used and associate the hostname with it.
 
 If you had set up logging on your origin during step 2, test and confirm that Authenticated Origin Pulls is working.
 
+</TabItem> <TabItem label="API">
+
+Use the [Enable or Disable a Hostname for Client Authentication](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) endpoint to enable Authenticated Origin Pulls for specific hostnames.
+
+If you had set up logging on your origin during step 2, test and confirm that Authenticated Origin Pulls is working.
+
+</TabItem> </Tabs>
+
 ## 4. Enforce validation check on your origin
 
 <Render file="aop-enforce-validation" product="ssl" />
@@ -71,4 +119,4 @@ You can configure alerts to receive notifications before your AOP certificates e
 
 Refer to [Manage certificates](/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates/) for further options.
 
-To learn how to remove the configuration, refer to [Rollback](/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback/).
+To learn how to remove the configuration, refer to [Rollback](/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback/).
@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Roll back per-hostname AOP
 sidebar:
-  order: 4
+  order: 5
   label: Rollback
 ---