diff --git a/public/__redirects b/public/__redirects
index 759b6b56687dfd..3291bb7173e124 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -1380,15 +1380,19 @@
 /ssl/edge-certificates/disable-weak-cipher-suites/ /ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/ 301
 /ssl/edge-certificates/http-strict-transport-security/ /ssl/edge-certificates/additional-options/http-strict-transport-security/ 301
 /ssl/edge-certificates/uploading/ /ssl/edge-certificates/custom-certificates/uploading/ 301
+/ssl/edge-certificates/troubleshooting/ /ssl/troubleshooting/ 301
 /ssl/reference/cipher-suites/custom-certificates/ /ssl/edge-certificates/custom-certificates/#certificate-packs 301
 /ssl/reference/cipher-suites/matching-on-origin/ /ssl/origin-configuration/cipher-suites/#match-on-origin 301
 /ssl/reference/migration-guides/lets-encrypt-chain/ /ssl/reference/certificate-authorities/#lets-encrypt 301
 /ssl/reference/migration-guides/dcv-update/ /ssl/reference/migration-guides/ 301
 /ssl/reference/validation-backoff-schedule/ /ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/ 301
 /ssl/universal-ssl/changing-dcv-method/ /ssl/edge-certificates/changing-dcv-method/ 301
-/support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/edge-certificates/troubleshooting/caa-records/ 301
+/support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/faq/#caa-records 301
 /support/ssl-tls/troubleshooting/troubleshooting-ssl-errors/ /ssl/troubleshooting/general-ssl-errors/ 301
 /support/ssl-tls/troubleshooting/you-have-reached-your-quota-for-the-requested-resource.-code-2005/ /ssl/edge-certificates/custom-certificates/troubleshooting/ 301
+/ssl/edge-certificates/troubleshooting/ca-faq/ /ssl/faq/ 301
+/ssl/edge-certificates/troubleshooting/caa-records/ /ssl/faq/#caa-records 301
+/ssl/troubleshooting/faq/ /ssl/faq/ 301
 
 # cloudflare for saas
 /ssl/ssl-for-saas/status-codes/custom-hostnames/ /cloudflare-for-platforms/cloudflare-for-saas/reference/status-codes/custom-hostnames/ 301
@@ -1492,7 +1496,7 @@
 /support/network/understanding-network-error-logging/ /network-error-logging/ 301
 /support/network/understanding-the-true-client-ip-header/ /network/true-client-ip-header/ 301
 /support/partners/partner-plugin-supportability/ /support/ 301
-/support/ssl-tls/faq-and-reference/ssl-faq/ /ssl/troubleshooting/faq/ 301
+/support/ssl-tls/faq-and-reference/ssl-faq/ /ssl/faq/ 301
 /support/third-party-software/content-management-system-cms/using-cloudflare-with-bigcommerce/ /cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/bigcommerce/ 301
 /support/third-party-software/content-management-system-cms/how-do-i-add-a-wordpress.com-custom-domain-mapping-site-to-cloudflare/ /support/third-party-software/content-management-system-cms/wordpresscom-and-cloudflare/ 301
 /support/third-party-software/content-management-system-cms/how-do-i-use-wordpress-multi-site-wpmu-with-cloudflare/ /automatic-platform-optimization/ 301
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
index 0b6fc1ec0cbe78..f3a31049a8c731 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
@@ -82,7 +82,7 @@ example.com CAA 0 issue "ssl.com"
 example.com CAA 0 issuewild "ssl.com"
 ```
 
-More details can be found on the [CAA records FAQ](/ssl/edge-certificates/troubleshooting/caa-records/).
+For more details, refer to [CAA records FAQ](/ssl/faq/#caa-records).
 
 ***
 
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
index 5092172ee7a695..2d30dd60422e66 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
@@ -84,4 +84,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you have a `CAA` record, verify that it permits SSL certificates to be issued by Google Trust Services (`pki.goog`).
 
-For more details, refer to [CAA records](/ssl/edge-certificates/troubleshooting/caa-records/#what-caa-records-are-added-by-cloudflare).
+For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/).
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
index 0ef3b1d26f253e..4a7d4597dba598 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
@@ -74,4 +74,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you do have a `CAA` record, check that it permits SSL certificates to be issued by `letsencrypt.org`.
 
-For more details, refer to [CAA records](/ssl/edge-certificates/troubleshooting/caa-records/#what-caa-records-are-added-by-cloudflare).
+For more details, refer to [Add CAA records](/ssl/edge-certificates/caa-records/).
diff --git a/src/content/docs/fundamentals/reference/troubleshooting.mdx b/src/content/docs/fundamentals/reference/troubleshooting.mdx
index 5a1623f508b4e9..802b8456821b57 100644
--- a/src/content/docs/fundamentals/reference/troubleshooting.mdx
+++ b/src/content/docs/fundamentals/reference/troubleshooting.mdx
@@ -41,14 +41,14 @@ When you [set up Cloudflare](/fundamentals/account/), you may experience the fol
 ## General resources
 
 * [DNS FAQ](/dns/faq/)
-* [SSL/TLS FAQ](/ssl/troubleshooting/faq/)
+* [SSL/TLS FAQ](/ssl/faq/)
 
 ## Is Cloudflare attacking me
 
 Two common scenarios falsely lead to the perception that Cloudflare is attacking your site:
 
-* Unless you [restore the original visitor IP addresses](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/), Cloudflare IP addresses appear in your server logs for all proxied requests.
-* The attacker is spoofing Cloudflare's IPs. Cloudflare only [sends traffic to your origin web server over a few specific ports](/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](/spectrum/).
+* Unless you [restore the original visitor IP addresses](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/), Cloudflare IP addresses appear in your server logs for all proxied requests.
+* The attacker is spoofing Cloudflare's IPs. Cloudflare only [sends traffic to your origin web server over a few specific ports](/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](/spectrum/).
 
 Ideally, because Cloudflare is a reverse proxy, your hosting provider observes attack traffic connecting from [Cloudflare IP addresses](https://www.cloudflare.com/ips/). In contrast, if you notice connections from IP addresses that do not belong to Cloudflare, the attack is direct to your origin web server. Cloudflare cannot stop attacks directly to your origin IP address because the traffic bypasses Cloudflare's network.
 
diff --git a/src/content/docs/pages/configuration/custom-domains.mdx b/src/content/docs/pages/configuration/custom-domains.mdx
index 75fcc6331caf46..85046ca6615854 100644
--- a/src/content/docs/pages/configuration/custom-domains.mdx
+++ b/src/content/docs/pages/configuration/custom-domains.mdx
@@ -102,7 +102,7 @@ example.com.            300     IN      CAA     0 issuewild "pki.goog; cansignht
 example.com.            300     IN      CAA     0 issuewild "ssl.com"
 ```
 
-Refer to the [Certification Authority Authorization (CAA) FAQ](/ssl/edge-certificates/troubleshooting/caa-records/) for more information.
+Refer to the [Certification Authority Authorization (CAA) FAQ](/ssl/faq/#caa-records) for more information.
 
 ### Change DNS entry away from Pages and then back again
 
diff --git a/src/content/docs/ssl/edge-certificates/index.mdx b/src/content/docs/ssl/edge-certificates/index.mdx
index 7833b2f32464f9..bc19bdcbb4725f 100644
--- a/src/content/docs/ssl/edge-certificates/index.mdx
+++ b/src/content/docs/ssl/edge-certificates/index.mdx
@@ -16,6 +16,15 @@ Consider the information below for guidance on how to choose different edge cert
 
 If you are not familiar with what SSL/TLS certificates are, refer to [Concepts](/ssl/concepts/).
 
+:::note
+Occasionally, the Cloudflare dashboard displays a wildcard certificate with only the apex hostname listed (and does not include the wildcard symbol `*`).
+
+This behavior occurs when all of the following conditions are true:
+
+* The zone is on a [subdomain setup](/dns/zone-setups/subdomain-setup/).
+* The certificate has a subject or SAN that is a wildcard for the zone's parent domain.
+:::
+
 ## Use cases
 
 ### Simplify issuance and renewal
@@ -40,4 +49,4 @@ If you already have Advanced Certificate Manager, use the API to set up custom c
 
 If you want to use Cloudflare but manage DNS externally ([partial setup](/dns/zone-setups/partial-setup/)), you may need to perform [domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/) to prove that you have control over your domain before your SSL/TLS certificate can be issued.
 
-To make this process easier and automate DCV at certificate renewal, use [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) and set up [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
+To make this process easier and automate DCV at certificate renewal, use [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) and set up [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
\ No newline at end of file
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
deleted file mode 100644
index 62ad42189a7aba..00000000000000
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
+++ /dev/null
@@ -1,74 +0,0 @@
----
-pcx_content_type: faq
-title: CAs and certificates FAQ
-head:
-  - tag: title
-    content: CAs and edge certificates FAQ
-description: Get answers to commonly asked questions about the certificates you
-  can obtain through Cloudflare and the CAs that Cloudflare partners with.
-
----
-
-Refer to this page for frequently asked questions about Cloudflare SSL/TLS certificate offerings and the CAs that Cloudflare partners with.
-
-## General
-
-### Does Cloudflare issue both RSA and ECDSA certificates?
-
-Yes. Cloudflare can issue both RSA and ECDSA certificates.
-
-## Certificate authorities (CAs)
-
-### Which certificate authorities does Cloudflare use?
-
-Cloudflare uses Let's Encrypt, Google Trust Services, SSL.com, and Sectigo. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
-
-Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-certificates/).
-
-### Are there any CA limitations I should know about?
-
-You can find a list of limitations for every CA in our pipeline in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
-
-### What clients are supported by the CAs that Cloudflare offers?
-
-In the [certificate authorities reference page](/ssl/reference/certificate-authorities/), you can find information about device and browser compatibility.
-
-### I do not want to use one of the CAs that Cloudflare partners with. What can I do?
-
-If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice.
-
-### What CAA records do I need in order to allow issuance from Cloudflare CAs?
-
-You can find CAA records associated with every Cloudflare CA in the [certificate authorities reference page](/ssl/reference/certificate-authorities/#caa-records). If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf.
-
-### I am missing the CAs that Cloudflare uses in my trust store. What should I do?
-
-You can use Cloudflare [CFSSL trust store](https://github.com/cloudflare/cfssl_trust), which includes all of the CAs that are used by Cloudflare managed certificates.
-
-## Universal SSL
-
-### I am using Universal SSL and I would like to use a different CA. How can I do that?
-
-To be able to specify a CA, you must purchase [Advanced Certificate Manager](/ssl/edge-certificates/advanced-certificate-manager/). Through Advanced Certificate Manager, you can choose the certificate authority when ordering an advanced certificate or you can choose a default CA when using [Total TLS](/ssl/edge-certificates/additional-options/total-tls/).
-
-If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice. In this case, certificate issuance and renewal will have to be managed by you.
-
-### Does Cloudflare issue both RSA and ECDSA certificates for Universal certificates?
-
-Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.
-
-## Advanced Certificate Manager
-
-### How can I choose which CA will be used for my certificates?
-
-When [ordering an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/), you can choose the CA through the UI or API.
-
-[Total TLS](/ssl/edge-certificates/additional-options/total-tls/) allows you to get full certificate coverage. When enabling Total TLS, you can choose the CA that will be used for all Total TLS certificates.
-
-## Renewal
-
-### Error when clicking `Approve Certificate` on a Certificate Approval renewal email
-
-The full error message is: `An error occurred while attempting to validate your domain. Please try again later or contact support for assistance.`
-
-Check the status of the certificate on the [Cloudflare dashboard](https://dash.cloudflare.com?to=/:account/:zone/ssl-tls). If the status is `Active`, you can disregard this email and the error message.
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx
deleted file mode 100644
index b9560c3dc3666b..00000000000000
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx
+++ /dev/null
@@ -1,37 +0,0 @@
----
-pcx_content_type: faq
-source: https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ
-title: Certification Authority Authorization (CAA) FAQ
----
-
-import { Render } from "~/components";
-
-The following page answers common questions about Certification Authority Authorization (CAA) records.
-
----
-
-## What is CAA and how can I create one?
-
-<Render file="caa-records-definition" product="ssl" /> <br />
-
-For more details, refer to [Create CAA records](/ssl/edge-certificates/caa-records/).
-
----
-
-## How does Cloudflare evaluate CAA records?
-
-CAA records are evaluated by a CA, not by Cloudflare. For details, refer to [RFC 8659](https://www.rfc-editor.org/rfc/rfc8659.html#name-relevant-resource-record-se).
-
-Setting a CAA record to specify one or more particular CAs does not affect which CA Cloudflare uses to issue universal or advanced certificates for your domain. If you wish, you can specify CAs associated with Cloudflare certificates when [ordering an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/).
-
----
-
-## What are the dangers of setting CAA records?
-
-If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, [include CAA records](/ssl/edge-certificates/caa-records/) that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.
-
----
-
-## What CAA records are added by Cloudflare?
-
-<Render file="caa-records-added-by-cf" product="ssl" />
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/index.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/index.mdx
deleted file mode 100644
index 79e419686914f0..00000000000000
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/index.mdx
+++ /dev/null
@@ -1,20 +0,0 @@
----
-pcx_content_type: navigation
-title: Troubleshooting
-sidebar:
-  order: 12
-  group:
-    hideIndex: true
-head:
-  - tag: title
-    content: Troubleshooting edge certificates
-
----
-
-import { DirectoryListing } from "~/components"
-
-Learn more about troubleshooting issues with your edge certificates:
-
-<DirectoryListing />
-
-* [Troubleshooting domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/troubleshooting/)
diff --git a/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx b/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx
index 05a0e9d69003f0..c406689528114c 100644
--- a/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx
+++ b/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx
@@ -65,3 +65,12 @@ Due to internal limitations, Universal SSL certificates do not cover [load balan
 ## Browser support
 
 For more on browser support, see [Browser compatibility](/ssl/reference/browser-compatibility/).
+
+## SSL invalid brand check
+
+Some domains are not eligible for Universal SSL if they contain words that conflict with trademarked domains.
+
+To resolve this issue, you can:
+
+* Purchase an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/).
+* Upload your own [custom certificate](/ssl/edge-certificates/custom-certificates/uploading/).
\ No newline at end of file
diff --git a/src/content/docs/ssl/faq.mdx b/src/content/docs/ssl/faq.mdx
new file mode 100644
index 00000000000000..3b07b8ca622e06
--- /dev/null
+++ b/src/content/docs/ssl/faq.mdx
@@ -0,0 +1,93 @@
+---
+pcx_content_type: faq
+title: SSL/TLS FAQ
+description: Get answers to commonly asked questions about the certificates you
+  can obtain through Cloudflare and the CAs that Cloudflare partners with.
+sidebar:
+  label: FAQ
+  order: 23
+---
+
+import { Render } from "~/components";
+
+Refer to this page for frequently asked questions about Cloudflare SSL/TLS certificate offerings and the CAs that Cloudflare partners with.
+
+---
+
+## General
+
+### Does Cloudflare issue both RSA and ECDSA certificates?
+
+Yes. Cloudflare can issue both RSA and ECDSA certificates.
+
+### Are Cloudflare SSL certificates shared?
+
+No. Cloudflare SSL/TLS certificates are not shared across domains nor across customers.
+
+### If I have multiple Cloudflare certificates, which one is used?
+
+Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type. For more details, refer to [Certificate and hostname priority](/ssl/reference/certificate-and-hostname-priority/).
+
+### Why do I see a Cloudflare certificate when an SSL certificate is installed at my website?
+
+Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](/ssl/origin-configuration/ssl-modes/).
+
+---
+
+## Certificate authorities (CAs)
+
+### Which certificate authorities does Cloudflare use?
+
+Cloudflare uses Let's Encrypt, Google Trust Services, SSL.com, and Sectigo. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
+
+Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-certificates/).
+
+### Are there any CA limitations I should know about?
+
+Refer to the [certificate authorities reference page](/ssl/reference/certificate-authorities/) for a list of limitations for every CA in our pipeline. There you can also find information about device and browser compatibility.
+
+### I do not want to use the CAs that Cloudflare partners with. What can I do?
+
+If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice.
+
+### I am missing the CAs that Cloudflare uses in my trust store. What should I do?
+
+You can use [CFSSL trust store](https://github.com/cloudflare/cfssl_trust), which includes all of the CAs that are used by Cloudflare managed certificates.
+
+---
+
+## CAA records
+
+### What is CAA and how can I create one?
+
+<Render file="caa-records-definition" product="ssl" /> <br />
+
+For more details, refer to [Add CAA records](/ssl/edge-certificates/caa-records/).
+
+### How does Cloudflare evaluate CAA records?
+
+CAA records are evaluated by a CA, not by Cloudflare. For details, refer to [RFC 8659](https://www.rfc-editor.org/rfc/rfc8659.html#name-relevant-resource-record-se).
+
+Setting a CAA record to specify one or more particular CAs does not affect which CA Cloudflare uses to issue universal or advanced certificates for your domain. If you wish, you can specify CAs associated with Cloudflare certificates when [ordering an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/).
+
+### What are the dangers of setting CAA records?
+
+If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, [include CAA records](/ssl/edge-certificates/caa-records/) that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.
+
+### What CAA records do I need to allow issuance from Cloudflare CAs?
+
+You can find CAA records associated with every Cloudflare CA in the [certificate authorities reference page](/ssl/reference/certificate-authorities/#caa-records). If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf.
+
+---
+
+## Universal SSL
+
+### I am using Universal SSL and I would like to use a different CA. How can I do that?
+
+To be able to specify a CA, you must purchase [Advanced Certificate Manager](/ssl/edge-certificates/advanced-certificate-manager/). Through Advanced Certificate Manager, you can choose the certificate authority when ordering an advanced certificate or you can choose a default CA when using [Total TLS](/ssl/edge-certificates/additional-options/total-tls/).
+
+If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice. In this case, certificate issuance and renewal will have to be managed by you.
+
+### Does Cloudflare issue both RSA and ECDSA certificates for Universal certificates?
+
+Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.
diff --git a/src/content/docs/ssl/get-started.mdx b/src/content/docs/ssl/get-started.mdx
index 5b6d569c990801..683248c7e8f28a 100644
--- a/src/content/docs/ssl/get-started.mdx
+++ b/src/content/docs/ssl/get-started.mdx
@@ -49,6 +49,10 @@ Note that some encryption modes will require you to have a valid [origin certifi
 
 <Render file="enforce-https-recommendation" product="ssl" />
 
+## SEO considerations
+
+Using HTTPS can improve user trust and may be used as a ranking signal by search engines. For related guidance, refer to [Improve SEO](/fundamentals/performance/improve-seo/).
+
 ## Optional - Enable additional features
 
 <Render file="get-started-additional-features" product="ssl" />
diff --git a/src/content/docs/ssl/reference/browser-compatibility.mdx b/src/content/docs/ssl/reference/browser-compatibility.mdx
index 2ebcb8b05a7207..d2506da36a5c10 100644
--- a/src/content/docs/ssl/reference/browser-compatibility.mdx
+++ b/src/content/docs/ssl/reference/browser-compatibility.mdx
@@ -45,4 +45,10 @@ If your domain has [HTTP/2 or HTTP/3 enabled](/speed/optimization/protocol/), [p
 
 :::caution
 Both HTTP/2 and HTTP/3 configurations also require that you have an SSL/TLS certificate served by Cloudflare. This means that disabling Universal SSL, for example, could impact this behavior.
-:::
\ No newline at end of file
+:::
+
+## OCSP and HTTP versions
+
+Cloudflare's OCSP implementation uses HTTP/1.1 by default for plain HTTP connections.
+
+For HTTPS connections, the client automatically attempts to use HTTP/2 if the server supports it through the TLS ALPN (Application-Layer Protocol Negotiation) extension. If HTTP/2 is not available or supported by the server, it will fall back to HTTP/1.1.
\ No newline at end of file
diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx
index c1f163f186ea12..b2cc3544767b15 100644
--- a/src/content/docs/ssl/reference/certificate-authorities.mdx
+++ b/src/content/docs/ssl/reference/certificate-authorities.mdx
@@ -41,6 +41,7 @@ For Universal certificates, Cloudflare controls the validity periods and certifi
 
 - Hostname on certificate can contain up to 10 levels of subdomains.
 - Duplicate certificate limit of [5 certificates](https://letsencrypt.org/docs/rate-limits/) per week.
+- Redsys[^1] is not compatible with Let's Encrypt certificates. If you use Redsys and find issues with Let's Encrypt certificates, order an advanced certificate or upload a custom certificate to use a different CA.
 
 #### Browser compatibility
 
@@ -137,3 +138,5 @@ The following table lists the CAA record content for each CA:
 | Google Trust Services | `pki.goog; cansignhttpexchanges=yes` |
 | SSL.com               | `ssl.com`                            |
 | Sectigo               | `sectigo.com`                        |
+
+[^1]: A payment gateway used with some ecommerce plugins.
\ No newline at end of file
diff --git a/src/content/docs/ssl/reference/protocols.mdx b/src/content/docs/ssl/reference/protocols.mdx
index 43394e0baca57e..b576fa0d4a635c 100644
--- a/src/content/docs/ssl/reference/protocols.mdx
+++ b/src/content/docs/ssl/reference/protocols.mdx
@@ -18,6 +18,7 @@ Cloudflare supports the following TLS protocols:
 TLS 1.0 is the [version that Cloudflare sets by default](/ssl/edge-certificates/additional-options/minimum-tls/) for all customers using certificate-based encryption.
 
 For information about which cipher suites are supported between clients and the Cloudflare network, refer to [Cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/).
+
 ## Understand TLS versions
 
 A higher TLS version implies a stronger cryptographic standard. TLS 1.2 includes fixes for known vulnerabilities found in previous versions.
@@ -26,6 +27,12 @@ As of June 2018, TLS 1.2 is the version required by the Payment Card Industry (P
 
 [TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/), which offers additional security and performance improvements, was approved by the Internet Engineering Task Force (IETF) in May 2018.
 
+:::note[PayPal's TLS 1.2 requirement]
+
+Using Cloudflare does not affect PayPal's TLS 1.2 requirement. However, note that PayPal IPN (Instant Payment Notification) might not support [TLS version 1.3](/ssl/edge-certificates/additional-options/tls-13/). If you are encountering issues with PayPal IPN when the traffic is proxied by Cloudflare, try setting the [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to 1.2.
+
+:::
+
 ## Decide which version to use
 
 TLS 1.3 has become widely adopted. As a general rule, Cloudflare recommends setting TLS to 1.3, as it will provide the best security.
diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx
deleted file mode 100644
index c0670681714af8..00000000000000
--- a/src/content/docs/ssl/troubleshooting/faq.mdx
+++ /dev/null
@@ -1,167 +0,0 @@
----
-pcx_content_type: faq
-title: FAQ
-head:
-  - tag: title
-    content: General FAQ
-
----
-
-import { GlossaryTooltip } from "~/components"
-
-The following provide answers to the most common questions associated with Cloudflare SSL/TLS certificates and settings.
-
-## If I have multiple Cloudflare certificates, which one is used?
-
-Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type.
-
-For more details, refer to [Certificate and hostname priority](/ssl/reference/certificate-and-hostname-priority/).
-
-:::caution
-
-
-Occasionally, the Cloudflare dashboard displays a wildcard certificate with only the apex hostname listed (and does not include the wildcard symbol `*`).
-
-This behavior occurs when all of the following conditions are true:
-
-* The zone is on a [subdomain setup](/dns/zone-setups/subdomain-setup/).
-* The certificate has a subject or SAN that is a wildcard for the zone's parent domain.
-
-
-:::
-
-***
-
-## Will having Cloudflare's SSL help with SEO?
-
-Yes, Google announced that they use [HTTPS as a ranking signal for SEO](https://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html).
-
-For further SEO tweaks, refer to our article on [improving SEO Rankings with Cloudflare](/fundamentals/performance/improve-seo/).
-
-***
-
-## How long does it take for Cloudflare's SSL to activate?
-
-If Cloudflare is your [authoritative DNS provider](/dns/zone-setups/full-setup), Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.
-
-Alternatively, if you use [Cloudflare services via `CNAME` records](/dns/zone-setups/partial-setup) set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of [DNS verification records](/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#partial-dns-setup) at your authoritative DNS provider. [Advanced SSL certificates](/ssl/edge-certificates/advanced-certificate-manager/) also typically issue within 15 minutes.
-
-If the Certificate Authority requires a manual review of brand, phishing, or TLD requirements, a Universal SSL certificate can take longer than 24 hours to issue.
-
-***
-
-## What does SSL invalid brand check mean?
-
-Some domains are not eligible for the Universal SSL if they contain words that conflict with trademarked domains.
-
-To resolve this issue, you can:
-
-* Purchase an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/).
-* Upload your own [custom certificate](/ssl/edge-certificates/custom-certificates/uploading/).
-
-***
-
-## Does Cloudflare SSL support Internationalized Domain Names (IDN)?
-
-The double byte / IDN / punycode domains support for Cloudflare edge certificates depends on the [certificate authority (CA)](/ssl/reference/certificate-authorities).
-Google Trust Services does not support punycode domains as mentioned in the [certificate authorities limitations](/ssl/reference/certificate-authorities/#limitations-1).
-
-***
-
-## How do I redirect all visitors to HTTPS/SSL?
-
-Refer to [Encrypt all visitor traffic](/ssl/edge-certificates/encrypt-visitor-traffic/).
-
-***
-
-## Does SSL work for hosting partners?
-
-A free Universal SSL certificate is available for all new Cloudflare domains added via a hosting partner using both [primary (full)](/dns/zone-setups/full-setup/) and <GlossaryTooltip term="CNAME setup" link="/dns/zone-setups/partial-setup/">CNAME (partial)</GlossaryTooltip> setups.
-
-For more details, refer to [Enable Universal SSL certificates](/ssl/edge-certificates/universal-ssl/enable-universal-ssl/).
-
-:::note
-
-
-For domains added to Cloudflare prior to December 9, 2016, the hosting
-partner must delete and re-add the domain to Cloudflare to provision the
-SSL certificate.
-
-
-:::
-
-***
-
-## Are Cloudflare SSL certificates shared?
-
-No. Cloudflare SSL/TLS certificates are not shared across domains nor across customers.
-
-***
-
-## Why do I see a Cloudflare certificate when an SSL certificate is installed at my website?
-
-Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](/ssl/origin-configuration/ssl-modes/).
-
-***
-
-## I want Cloudflare to use an SSL certificate that I purchased elsewhere.
-
-Domains on Business and Enterprise plans can upload a [Custom SSL certificate](/ssl/edge-certificates/custom-certificates).
-
-***
-
-## Does enabling Cloudflare affect PayPal's TLS 1.2 requirement?
-
-No. Since Cloudflare does not proxy connections made directly to `paypal.com`, enabling Cloudflare for your domain does not affect how TLS connections are made.
-
-However, note that PayPal IPN (Instant Payment Notification) might not support [TLS version 1.3](/ssl/edge-certificates/additional-options/tls-13/) if you have it enabled on your zone.
-If you are encountering issues with PayPal IPN when the traffic is proxied by Cloudflare, try setting the [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`.
-
-***
-
-## Does Cloudflare support TLS client authentication?
-
-Yes. For more details, refer to our documentation on [Mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/).
-
-***
-
-## How do I obtain an SSL certificate for customers on partial (CNAME) setup?
-
-A [partial DNS setup](/dns/zone-setups/partial-setup/) requires additional steps to provision and validate an SSL certificate.
-
-For more details, refer to [Enable Universal SSL](/ssl/edge-certificates/universal-ssl/enable-universal-ssl#partial-dns-setup).
-
-***
-
-## Can I use Certificate Pinning?
-
-No. Multiple industry leaders — including [Digicert](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) and [Mozilla](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) — have discouraged certificate pinning because of security concerns.
-
-For a safer alternative, use [Certificate Transparency Monitoring](/ssl/edge-certificates/additional-options/certificate-transparency-monitoring/).
-
-Refer to [Certificate pinning](/ssl/reference/certificate-pinning/) for more details.
-
-***
-
-## Where can I learn more about SSL?
-
-To learn more about SSL, go to the [Cloudflare Learning Center](https://www.cloudflare.com/learning/ssl/what-is-ssl/).
-
-***
-
-## Redsys is not working with my Let's Encrypt Certificate.
-
-The Let's Encrypt Certificate Authority and SNI are not currently supported by Redsys.
-
-We recommend one of the following options:
-
-* Change the Universal Certificate Authority to a different CA.
-* Add an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/) or [custom certificate](/ssl/edge-certificates/custom-certificates/) using a different CA.
-
-***
-
-## What is the HTTP version used for OCSP?
-
-Our OCSP implementation uses HTTP/1.1 by default for plain HTTP connections.
-
-For HTTPS connections, the client automatically attempts to use HTTP/2 if the server supports it through the TLS ALPN (Application-Layer Protocol Negotiation) extension. If HTTP/2 is not available or supported by the server, it will fall back to HTTP/1.1.
\ No newline at end of file
diff --git a/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx b/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx
index fa49b1e6b7a332..ad81bd6e215578 100644
--- a/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx
+++ b/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx
@@ -156,3 +156,17 @@ openssl s_client -connect example.com:443 -servername example.com version
 ## Kaspersky Antivirus
 
 To avoid SSL errors with the Cloudflare dashboard when using Kaspersky Antivirus, allow `dash.cloudflare.com` in Kaspersky.
+
+---
+
+## Certificate Approval renewal email
+
+### Symptom
+
+When clicking `Approve Certificate` on a Certificate Approval renewal email, you get the following error message:
+
+`An error occurred while attempting to validate your domain. Please try again later or contact support for assistance.`
+
+### Resolution
+
+Check the status of the certificate on the [Cloudflare dashboard](https://dash.cloudflare.com?to=/:account/:zone/ssl-tls). If the status is `Active`, you can disregard this email and the error message.
\ No newline at end of file
diff --git a/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx b/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
index 62320c7ba759e3..e2b23fb5e20b66 100644
--- a/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
+++ b/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
@@ -92,11 +92,11 @@ Cloudflare provides a SANs wildcard certificate with all paid plans, and a SNI w
 
 If you don't know what this means, navigate to the **Overview** tab of the **SSL/TLS** app in your Cloudflare dashboard. Select *Flexible* mode to serve your site over HTTPS to all public visitors.
 
-Once the certificate status changes to **• Active Certificate**, incoming traffic will be served to your site over HTTPS (e.g., visitors will see HTTPS prefixed to your domain name in the browser bar).
+Once the certificate status changes to **• Active Certificate**, incoming traffic will be served to your site over HTTPS. Visitors will see HTTPS prefixed to your domain name in the browser bar.
 
 ### Step 4b - Force all traffic over HTTPS
 
-To ensure all traffic to your site is encrypted, Cloudflare lets you force an automatic HTTPS redirect.  To configure this, consult: [How do I redirect all visitors to HTTPS/SSL?](/ssl/troubleshooting/faq/#how-do-i-redirect-all-visitors-to-httpsssl)
+To ensure all traffic to your site is encrypted, Cloudflare lets you force an automatic HTTPS redirect. To configure this, refer to [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/).
 
 You can then use a cURL command to verify that all requests are being forced over HTTPS.
 
diff --git a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
index 8ab2817f251e91..5211341533b5d5 100644
--- a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
+++ b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
@@ -64,7 +64,7 @@ Cloudflare uses `SameSite=None` in the `cf_clearance` cookie so that visitor req
 
 Using the `Secure` flag requires sending the cookie via an HTTPS connection. If you use HTTP on any part of your website, the `cf_clearance` cookie defaults to `SameSite=Lax`, which may cause your website not to function properly.
 
-To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two features for this purpose: 
+To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two features for this purpose:
 
 - [Automatic HTTPS Rewrites](/ssl/edge-certificates/additional-options/automatic-https-rewrites/)
 - [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)
@@ -73,8 +73,8 @@ To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two
 
 ## Related resources
 
-- [SameSite cookies explained](https://web.dev/samesite-cookies-explained/) 
+- [SameSite cookies explained](https://web.dev/samesite-cookies-explained/)
 - [Cloudflare Cookies](/fundamentals/reference/policies-compliances/cloudflare-cookies/)
-- [Cloudflare SSL FAQ](/ssl/troubleshooting/faq/)
+- [Cloudflare SSL FAQ](/ssl/faq/)
 - [Automatic HTTPS Rewrites](/ssl/edge-certificates/additional-options/automatic-https-rewrites/)
 - [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)