From 29709f5d093b78826299eb8e02bc1d49038a9d1d Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Wed, 18 Feb 2026 14:29:34 +0000
Subject: [PATCH 01/12] Find and replace unstandardized spaces

---
 src/content/docs/ssl/troubleshooting/faq.mdx | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx
index c0670681714af8..b8881fcb214a31 100644
--- a/src/content/docs/ssl/troubleshooting/faq.mdx
+++ b/src/content/docs/ssl/troubleshooting/faq.mdx
@@ -13,7 +13,7 @@ The following provide answers to the most common questions associated with Cloud
 
 ## If I have multiple Cloudflare certificates, which one is used?
 
-Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type.
+Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type.
 
 For more details, refer to [Certificate and hostname priority](/ssl/reference/certificate-and-hostname-priority/).
 
@@ -34,17 +34,17 @@ This behavior occurs when all of the following conditions are true:
 
 ## Will having Cloudflare's SSL help with SEO?
 
-Yes, Google announced that they use [HTTPS as a ranking signal for SEO](https://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html).
+Yes, Google announced that they use [HTTPS as a ranking signal for SEO](https://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html).
 
-For further SEO tweaks, refer to our article on [improving SEO Rankings with Cloudflare](/fundamentals/performance/improve-seo/).
+For further SEO tweaks, refer to our article on [improving SEO Rankings with Cloudflare](/fundamentals/performance/improve-seo/).
 
 ***
 
 ## How long does it take for Cloudflare's SSL to activate?
 
-If Cloudflare is your [authoritative DNS provider](/dns/zone-setups/full-setup), Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.
+If Cloudflare is your [authoritative DNS provider](/dns/zone-setups/full-setup), Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.
 
-Alternatively, if you use [Cloudflare services via `CNAME` records](/dns/zone-setups/partial-setup) set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of [DNS verification records](/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#partial-dns-setup) at your authoritative DNS provider. [Advanced SSL certificates](/ssl/edge-certificates/advanced-certificate-manager/) also typically issue within 15 minutes.
+Alternatively, if you use [Cloudflare services via `CNAME` records](/dns/zone-setups/partial-setup) set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of [DNS verification records](/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#partial-dns-setup) at your authoritative DNS provider. [Advanced SSL certificates](/ssl/edge-certificates/advanced-certificate-manager/) also typically issue within 15 minutes.
 
 If the Certificate Authority requires a manual review of brand, phishing, or TLD requirements, a Universal SSL certificate can take longer than 24 hours to issue.
 
@@ -100,19 +100,19 @@ No. Cloudflare SSL/TLS certificates are not shared across domains nor across cus
 
 ## Why do I see a Cloudflare certificate when an SSL certificate is installed at my website?
 
-Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](/ssl/origin-configuration/ssl-modes/).
+Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](/ssl/origin-configuration/ssl-modes/).
 
 ***
 
 ## I want Cloudflare to use an SSL certificate that I purchased elsewhere.
 
-Domains on Business and Enterprise plans can upload a [Custom SSL certificate](/ssl/edge-certificates/custom-certificates).
+Domains on Business and Enterprise plans can upload a [Custom SSL certificate](/ssl/edge-certificates/custom-certificates).
 
 ***
 
 ## Does enabling Cloudflare affect PayPal's TLS 1.2 requirement?
 
-No. Since Cloudflare does not proxy connections made directly to `paypal.com`, enabling Cloudflare for your domain does not affect how TLS connections are made.
+No. Since Cloudflare does not proxy connections made directly to `paypal.com`, enabling Cloudflare for your domain does not affect how TLS connections are made.
 
 However, note that PayPal IPN (Instant Payment Notification) might not support [TLS version 1.3](/ssl/edge-certificates/additional-options/tls-13/) if you have it enabled on your zone.
 If you are encountering issues with PayPal IPN when the traffic is proxied by Cloudflare, try setting the [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`.
@@ -121,7 +121,7 @@ If you are encountering issues with PayPal IPN when the traffic is proxied by Cl
 
 ## Does Cloudflare support TLS client authentication?
 
-Yes. For more details, refer to our documentation on [Mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/).
+Yes. For more details, refer to our documentation on [Mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/).
 
 ***
 

From 1fcc5e219096b81e2c274245412cd8cd9ac844b2 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Wed, 18 Feb 2026 15:11:09 +0000
Subject: [PATCH 02/12] Identify and remove questions already covered elsewhere

---
 src/content/docs/ssl/troubleshooting/faq.mdx | 47 +-------------------
 1 file changed, 1 insertion(+), 46 deletions(-)

diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx
index b8881fcb214a31..71fe1fec952d66 100644
--- a/src/content/docs/ssl/troubleshooting/faq.mdx
+++ b/src/content/docs/ssl/troubleshooting/faq.mdx
@@ -13,7 +13,7 @@ The following provide answers to the most common questions associated with Cloud
 
 ## If I have multiple Cloudflare certificates, which one is used?
 
-Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type.
+Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type.
 
 For more details, refer to [Certificate and hostname priority](/ssl/reference/certificate-and-hostname-priority/).
 
@@ -40,16 +40,6 @@ For further SEO tweaks, refer to our article on [improving SEO Rankings with Clo
 
 ***
 
-## How long does it take for Cloudflare's SSL to activate?
-
-If Cloudflare is your [authoritative DNS provider](/dns/zone-setups/full-setup), Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.
-
-Alternatively, if you use [Cloudflare services via `CNAME` records](/dns/zone-setups/partial-setup) set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of [DNS verification records](/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#partial-dns-setup) at your authoritative DNS provider. [Advanced SSL certificates](/ssl/edge-certificates/advanced-certificate-manager/) also typically issue within 15 minutes.
-
-If the Certificate Authority requires a manual review of brand, phishing, or TLD requirements, a Universal SSL certificate can take longer than 24 hours to issue.
-
-***
-
 ## What does SSL invalid brand check mean?
 
 Some domains are not eligible for the Universal SSL if they contain words that conflict with trademarked domains.
@@ -61,19 +51,6 @@ To resolve this issue, you can:
 
 ***
 
-## Does Cloudflare SSL support Internationalized Domain Names (IDN)?
-
-The double byte / IDN / punycode domains support for Cloudflare edge certificates depends on the [certificate authority (CA)](/ssl/reference/certificate-authorities).
-Google Trust Services does not support punycode domains as mentioned in the [certificate authorities limitations](/ssl/reference/certificate-authorities/#limitations-1).
-
-***
-
-## How do I redirect all visitors to HTTPS/SSL?
-
-Refer to [Encrypt all visitor traffic](/ssl/edge-certificates/encrypt-visitor-traffic/).
-
-***
-
 ## Does SSL work for hosting partners?
 
 A free Universal SSL certificate is available for all new Cloudflare domains added via a hosting partner using both [primary (full)](/dns/zone-setups/full-setup/) and <GlossaryTooltip term="CNAME setup" link="/dns/zone-setups/partial-setup/">CNAME (partial)</GlossaryTooltip> setups.
@@ -119,12 +96,6 @@ If you are encountering issues with PayPal IPN when the traffic is proxied by Cl
 
 ***
 
-## Does Cloudflare support TLS client authentication?
-
-Yes. For more details, refer to our documentation on [Mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/).
-
-***
-
 ## How do I obtain an SSL certificate for customers on partial (CNAME) setup?
 
 A [partial DNS setup](/dns/zone-setups/partial-setup/) requires additional steps to provision and validate an SSL certificate.
@@ -133,22 +104,6 @@ For more details, refer to [Enable Universal SSL](/ssl/edge-certificates/univers
 
 ***
 
-## Can I use Certificate Pinning?
-
-No. Multiple industry leaders — including [Digicert](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) and [Mozilla](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) — have discouraged certificate pinning because of security concerns.
-
-For a safer alternative, use [Certificate Transparency Monitoring](/ssl/edge-certificates/additional-options/certificate-transparency-monitoring/).
-
-Refer to [Certificate pinning](/ssl/reference/certificate-pinning/) for more details.
-
-***
-
-## Where can I learn more about SSL?
-
-To learn more about SSL, go to the [Cloudflare Learning Center](https://www.cloudflare.com/learning/ssl/what-is-ssl/).
-
-***
-
 ## Redsys is not working with my Let's Encrypt Certificate.
 
 The Let's Encrypt Certificate Authority and SNI are not currently supported by Redsys.

From 22899ddea50ec9e7b966ab4748fbabb8e3ddb906 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Wed, 18 Feb 2026 15:44:51 +0000
Subject: [PATCH 03/12] Move SEO question into ssl/get-started.mdx

---
 src/content/docs/ssl/get-started.mdx         | 4 ++++
 src/content/docs/ssl/troubleshooting/faq.mdx | 8 --------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/content/docs/ssl/get-started.mdx b/src/content/docs/ssl/get-started.mdx
index 5b6d569c990801..683248c7e8f28a 100644
--- a/src/content/docs/ssl/get-started.mdx
+++ b/src/content/docs/ssl/get-started.mdx
@@ -49,6 +49,10 @@ Note that some encryption modes will require you to have a valid [origin certifi
 
 <Render file="enforce-https-recommendation" product="ssl" />
 
+## SEO considerations
+
+Using HTTPS can improve user trust and may be used as a ranking signal by search engines. For related guidance, refer to [Improve SEO](/fundamentals/performance/improve-seo/).
+
 ## Optional - Enable additional features
 
 <Render file="get-started-additional-features" product="ssl" />
diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx
index 71fe1fec952d66..2daa771ff70c3f 100644
--- a/src/content/docs/ssl/troubleshooting/faq.mdx
+++ b/src/content/docs/ssl/troubleshooting/faq.mdx
@@ -32,14 +32,6 @@ This behavior occurs when all of the following conditions are true:
 
 ***
 
-## Will having Cloudflare's SSL help with SEO?
-
-Yes, Google announced that they use [HTTPS as a ranking signal for SEO](https://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html).
-
-For further SEO tweaks, refer to our article on [improving SEO Rankings with Cloudflare](/fundamentals/performance/improve-seo/).
-
-***
-
 ## What does SSL invalid brand check mean?
 
 Some domains are not eligible for the Universal SSL if they contain words that conflict with trademarked domains.

From 2949be192ed1bb58b284df60f111f4df968811bd Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Fri, 20 Feb 2026 17:06:36 +0000
Subject: [PATCH 04/12] Move evergreen questions to ca-faq and distribute
 others to TS or reference

---
 .../docs/ssl/edge-certificates/index.mdx      | 11 +++-
 .../troubleshooting/ca-faq.mdx                | 20 +++---
 .../universal-ssl/limitations.mdx             |  9 +++
 .../ssl/reference/browser-compatibility.mdx   |  8 ++-
 src/content/docs/ssl/troubleshooting/faq.mdx  | 66 +------------------
 .../troubleshooting/general-ssl-errors.mdx    | 14 ++++
 6 files changed, 53 insertions(+), 75 deletions(-)

diff --git a/src/content/docs/ssl/edge-certificates/index.mdx b/src/content/docs/ssl/edge-certificates/index.mdx
index 7833b2f32464f9..bc19bdcbb4725f 100644
--- a/src/content/docs/ssl/edge-certificates/index.mdx
+++ b/src/content/docs/ssl/edge-certificates/index.mdx
@@ -16,6 +16,15 @@ Consider the information below for guidance on how to choose different edge cert
 
 If you are not familiar with what SSL/TLS certificates are, refer to [Concepts](/ssl/concepts/).
 
+:::note
+Occasionally, the Cloudflare dashboard displays a wildcard certificate with only the apex hostname listed (and does not include the wildcard symbol `*`).
+
+This behavior occurs when all of the following conditions are true:
+
+* The zone is on a [subdomain setup](/dns/zone-setups/subdomain-setup/).
+* The certificate has a subject or SAN that is a wildcard for the zone's parent domain.
+:::
+
 ## Use cases
 
 ### Simplify issuance and renewal
@@ -40,4 +49,4 @@ If you already have Advanced Certificate Manager, use the API to set up custom c
 
 If you want to use Cloudflare but manage DNS externally ([partial setup](/dns/zone-setups/partial-setup/)), you may need to perform [domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/) to prove that you have control over your domain before your SSL/TLS certificate can be issued.
 
-To make this process easier and automate DCV at certificate renewal, use [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) and set up [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
+To make this process easier and automate DCV at certificate renewal, use [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) and set up [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
\ No newline at end of file
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
index 62ad42189a7aba..b8856e96eeef60 100644
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
+++ b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
@@ -17,6 +17,18 @@ Refer to this page for frequently asked questions about Cloudflare SSL/TLS certi
 
 Yes. Cloudflare can issue both RSA and ECDSA certificates.
 
+### Are Cloudflare SSL certificates shared?
+
+No. Cloudflare SSL/TLS certificates are not shared across domains nor across customers.
+
+### If I have multiple Cloudflare certificates, which one is used?
+
+Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type. For more details, refer to [Certificate and hostname priority](/ssl/reference/certificate-and-hostname-priority/).
+
+### Why do I see a Cloudflare certificate when an SSL certificate is installed at my website?
+
+Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](/ssl/origin-configuration/ssl-modes/).
+
 ## Certificate authorities (CAs)
 
 ### Which certificate authorities does Cloudflare use?
@@ -64,11 +76,3 @@ Universal certificates on free zones only receive an ECDSA certificate. Paid zon
 When [ordering an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/), you can choose the CA through the UI or API.
 
 [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) allows you to get full certificate coverage. When enabling Total TLS, you can choose the CA that will be used for all Total TLS certificates.
-
-## Renewal
-
-### Error when clicking `Approve Certificate` on a Certificate Approval renewal email
-
-The full error message is: `An error occurred while attempting to validate your domain. Please try again later or contact support for assistance.`
-
-Check the status of the certificate on the [Cloudflare dashboard](https://dash.cloudflare.com?to=/:account/:zone/ssl-tls). If the status is `Active`, you can disregard this email and the error message.
diff --git a/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx b/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx
index 05a0e9d69003f0..c406689528114c 100644
--- a/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx
+++ b/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx
@@ -65,3 +65,12 @@ Due to internal limitations, Universal SSL certificates do not cover [load balan
 ## Browser support
 
 For more on browser support, see [Browser compatibility](/ssl/reference/browser-compatibility/).
+
+## SSL invalid brand check
+
+Some domains are not eligible for Universal SSL if they contain words that conflict with trademarked domains.
+
+To resolve this issue, you can:
+
+* Purchase an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/).
+* Upload your own [custom certificate](/ssl/edge-certificates/custom-certificates/uploading/).
\ No newline at end of file
diff --git a/src/content/docs/ssl/reference/browser-compatibility.mdx b/src/content/docs/ssl/reference/browser-compatibility.mdx
index 2ebcb8b05a7207..d2506da36a5c10 100644
--- a/src/content/docs/ssl/reference/browser-compatibility.mdx
+++ b/src/content/docs/ssl/reference/browser-compatibility.mdx
@@ -45,4 +45,10 @@ If your domain has [HTTP/2 or HTTP/3 enabled](/speed/optimization/protocol/), [p
 
 :::caution
 Both HTTP/2 and HTTP/3 configurations also require that you have an SSL/TLS certificate served by Cloudflare. This means that disabling Universal SSL, for example, could impact this behavior.
-:::
\ No newline at end of file
+:::
+
+## OCSP and HTTP versions
+
+Cloudflare's OCSP implementation uses HTTP/1.1 by default for plain HTTP connections.
+
+For HTTPS connections, the client automatically attempts to use HTTP/2 if the server supports it through the TLS ALPN (Application-Layer Protocol Negotiation) extension. If HTTP/2 is not available or supported by the server, it will fall back to HTTP/1.1.
\ No newline at end of file
diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx
index 2daa771ff70c3f..602c306ec0a306 100644
--- a/src/content/docs/ssl/troubleshooting/faq.mdx
+++ b/src/content/docs/ssl/troubleshooting/faq.mdx
@@ -11,36 +11,6 @@ import { GlossaryTooltip } from "~/components"
 
 The following provide answers to the most common questions associated with Cloudflare SSL/TLS certificates and settings.
 
-## If I have multiple Cloudflare certificates, which one is used?
-
-Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type.
-
-For more details, refer to [Certificate and hostname priority](/ssl/reference/certificate-and-hostname-priority/).
-
-:::caution
-
-
-Occasionally, the Cloudflare dashboard displays a wildcard certificate with only the apex hostname listed (and does not include the wildcard symbol `*`).
-
-This behavior occurs when all of the following conditions are true:
-
-* The zone is on a [subdomain setup](/dns/zone-setups/subdomain-setup/).
-* The certificate has a subject or SAN that is a wildcard for the zone's parent domain.
-
-
-:::
-
-***
-
-## What does SSL invalid brand check mean?
-
-Some domains are not eligible for the Universal SSL if they contain words that conflict with trademarked domains.
-
-To resolve this issue, you can:
-
-* Purchase an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/).
-* Upload your own [custom certificate](/ssl/edge-certificates/custom-certificates/uploading/).
-
 ***
 
 ## Does SSL work for hosting partners?
@@ -61,24 +31,6 @@ SSL certificate.
 
 ***
 
-## Are Cloudflare SSL certificates shared?
-
-No. Cloudflare SSL/TLS certificates are not shared across domains nor across customers.
-
-***
-
-## Why do I see a Cloudflare certificate when an SSL certificate is installed at my website?
-
-Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](/ssl/origin-configuration/ssl-modes/).
-
-***
-
-## I want Cloudflare to use an SSL certificate that I purchased elsewhere.
-
-Domains on Business and Enterprise plans can upload a [Custom SSL certificate](/ssl/edge-certificates/custom-certificates).
-
-***
-
 ## Does enabling Cloudflare affect PayPal's TLS 1.2 requirement?
 
 No. Since Cloudflare does not proxy connections made directly to `paypal.com`, enabling Cloudflare for your domain does not affect how TLS connections are made.
@@ -88,14 +40,6 @@ If you are encountering issues with PayPal IPN when the traffic is proxied by Cl
 
 ***
 
-## How do I obtain an SSL certificate for customers on partial (CNAME) setup?
-
-A [partial DNS setup](/dns/zone-setups/partial-setup/) requires additional steps to provision and validate an SSL certificate.
-
-For more details, refer to [Enable Universal SSL](/ssl/edge-certificates/universal-ssl/enable-universal-ssl#partial-dns-setup).
-
-***
-
 ## Redsys is not working with my Let's Encrypt Certificate.
 
 The Let's Encrypt Certificate Authority and SNI are not currently supported by Redsys.
@@ -103,12 +47,4 @@ The Let's Encrypt Certificate Authority and SNI are not currently supported by R
 We recommend one of the following options:
 
 * Change the Universal Certificate Authority to a different CA.
-* Add an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/) or [custom certificate](/ssl/edge-certificates/custom-certificates/) using a different CA.
-
-***
-
-## What is the HTTP version used for OCSP?
-
-Our OCSP implementation uses HTTP/1.1 by default for plain HTTP connections.
-
-For HTTPS connections, the client automatically attempts to use HTTP/2 if the server supports it through the TLS ALPN (Application-Layer Protocol Negotiation) extension. If HTTP/2 is not available or supported by the server, it will fall back to HTTP/1.1.
\ No newline at end of file
+* Add an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/) or [custom certificate](/ssl/edge-certificates/custom-certificates/) using a different CA.
\ No newline at end of file
diff --git a/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx b/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx
index fa49b1e6b7a332..ad81bd6e215578 100644
--- a/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx
+++ b/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx
@@ -156,3 +156,17 @@ openssl s_client -connect example.com:443 -servername example.com version
 ## Kaspersky Antivirus
 
 To avoid SSL errors with the Cloudflare dashboard when using Kaspersky Antivirus, allow `dash.cloudflare.com` in Kaspersky.
+
+---
+
+## Certificate Approval renewal email
+
+### Symptom
+
+When clicking `Approve Certificate` on a Certificate Approval renewal email, you get the following error message:
+
+`An error occurred while attempting to validate your domain. Please try again later or contact support for assistance.`
+
+### Resolution
+
+Check the status of the certificate on the [Cloudflare dashboard](https://dash.cloudflare.com?to=/:account/:zone/ssl-tls). If the status is `Active`, you can disregard this email and the error message.
\ No newline at end of file

From 1b3300bf4e1fa33550713425ecb2718a04e15e3b Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Mon, 23 Feb 2026 17:00:39 +0000
Subject: [PATCH 05/12] Delete/keep remaining questions after checking with
 CSUP

---
 .../ssl/reference/certificate-authorities.mdx |  3 ++
 src/content/docs/ssl/reference/protocols.mdx  |  7 ++++
 src/content/docs/ssl/troubleshooting/faq.mdx  | 39 -------------------
 3 files changed, 10 insertions(+), 39 deletions(-)

diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx
index c1f163f186ea12..b2cc3544767b15 100644
--- a/src/content/docs/ssl/reference/certificate-authorities.mdx
+++ b/src/content/docs/ssl/reference/certificate-authorities.mdx
@@ -41,6 +41,7 @@ For Universal certificates, Cloudflare controls the validity periods and certifi
 
 - Hostname on certificate can contain up to 10 levels of subdomains.
 - Duplicate certificate limit of [5 certificates](https://letsencrypt.org/docs/rate-limits/) per week.
+- Redsys[^1] is not compatible with Let's Encrypt certificates. If you use Redsys and find issues with Let's Encrypt certificates, order an advanced certificate or upload a custom certificate to use a different CA.
 
 #### Browser compatibility
 
@@ -137,3 +138,5 @@ The following table lists the CAA record content for each CA:
 | Google Trust Services | `pki.goog; cansignhttpexchanges=yes` |
 | SSL.com               | `ssl.com`                            |
 | Sectigo               | `sectigo.com`                        |
+
+[^1]: A payment gateway used with some ecommerce plugins.
\ No newline at end of file
diff --git a/src/content/docs/ssl/reference/protocols.mdx b/src/content/docs/ssl/reference/protocols.mdx
index 43394e0baca57e..b576fa0d4a635c 100644
--- a/src/content/docs/ssl/reference/protocols.mdx
+++ b/src/content/docs/ssl/reference/protocols.mdx
@@ -18,6 +18,7 @@ Cloudflare supports the following TLS protocols:
 TLS 1.0 is the [version that Cloudflare sets by default](/ssl/edge-certificates/additional-options/minimum-tls/) for all customers using certificate-based encryption.
 
 For information about which cipher suites are supported between clients and the Cloudflare network, refer to [Cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/).
+
 ## Understand TLS versions
 
 A higher TLS version implies a stronger cryptographic standard. TLS 1.2 includes fixes for known vulnerabilities found in previous versions.
@@ -26,6 +27,12 @@ As of June 2018, TLS 1.2 is the version required by the Payment Card Industry (P
 
 [TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/), which offers additional security and performance improvements, was approved by the Internet Engineering Task Force (IETF) in May 2018.
 
+:::note[PayPal's TLS 1.2 requirement]
+
+Using Cloudflare does not affect PayPal's TLS 1.2 requirement. However, note that PayPal IPN (Instant Payment Notification) might not support [TLS version 1.3](/ssl/edge-certificates/additional-options/tls-13/). If you are encountering issues with PayPal IPN when the traffic is proxied by Cloudflare, try setting the [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to 1.2.
+
+:::
+
 ## Decide which version to use
 
 TLS 1.3 has become widely adopted. As a general rule, Cloudflare recommends setting TLS to 1.3, as it will provide the best security.
diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx
index 602c306ec0a306..786cd7c55b15e2 100644
--- a/src/content/docs/ssl/troubleshooting/faq.mdx
+++ b/src/content/docs/ssl/troubleshooting/faq.mdx
@@ -9,42 +9,3 @@ head:
 
 import { GlossaryTooltip } from "~/components"
 
-The following provide answers to the most common questions associated with Cloudflare SSL/TLS certificates and settings.
-
-***
-
-## Does SSL work for hosting partners?
-
-A free Universal SSL certificate is available for all new Cloudflare domains added via a hosting partner using both [primary (full)](/dns/zone-setups/full-setup/) and <GlossaryTooltip term="CNAME setup" link="/dns/zone-setups/partial-setup/">CNAME (partial)</GlossaryTooltip> setups.
-
-For more details, refer to [Enable Universal SSL certificates](/ssl/edge-certificates/universal-ssl/enable-universal-ssl/).
-
-:::note
-
-
-For domains added to Cloudflare prior to December 9, 2016, the hosting
-partner must delete and re-add the domain to Cloudflare to provision the
-SSL certificate.
-
-
-:::
-
-***
-
-## Does enabling Cloudflare affect PayPal's TLS 1.2 requirement?
-
-No. Since Cloudflare does not proxy connections made directly to `paypal.com`, enabling Cloudflare for your domain does not affect how TLS connections are made.
-
-However, note that PayPal IPN (Instant Payment Notification) might not support [TLS version 1.3](/ssl/edge-certificates/additional-options/tls-13/) if you have it enabled on your zone.
-If you are encountering issues with PayPal IPN when the traffic is proxied by Cloudflare, try setting the [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`.
-
-***
-
-## Redsys is not working with my Let's Encrypt Certificate.
-
-The Let's Encrypt Certificate Authority and SNI are not currently supported by Redsys.
-
-We recommend one of the following options:
-
-* Change the Universal Certificate Authority to a different CA.
-* Add an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/) or [custom certificate](/ssl/edge-certificates/custom-certificates/) using a different CA.
\ No newline at end of file

From 2134946dc2bea00b0d3e2f7c8de5a7d7f322c3fb Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Mon, 23 Feb 2026 17:55:58 +0000
Subject: [PATCH 06/12] Move CAA records faq to ca-faq and delete dupe info

---
 .../troubleshooting/ca-faq.mdx                | 48 ++++++++++++-------
 .../troubleshooting/caa-records.mdx           | 32 -------------
 2 files changed, 31 insertions(+), 49 deletions(-)

diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
index b8856e96eeef60..d6dcf7ab1ace8c 100644
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
+++ b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
@@ -9,6 +9,8 @@ description: Get answers to commonly asked questions about the certificates you
 
 ---
 
+import { Render } from "~/components";
+
 Refer to this page for frequently asked questions about Cloudflare SSL/TLS certificate offerings and the CAs that Cloudflare partners with.
 
 ## General
@@ -29,6 +31,8 @@ Cloudflare certificates are prioritized by a combination of hostname specificity
 
 Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](/ssl/origin-configuration/ssl-modes/).
 
+---
+
 ## Certificate authorities (CAs)
 
 ### Which certificate authorities does Cloudflare use?
@@ -39,23 +43,41 @@ Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-cer
 
 ### Are there any CA limitations I should know about?
 
-You can find a list of limitations for every CA in our pipeline in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
-
-### What clients are supported by the CAs that Cloudflare offers?
-
-In the [certificate authorities reference page](/ssl/reference/certificate-authorities/), you can find information about device and browser compatibility.
+You can find a list of limitations for every CA in our pipeline - as well as information about device and browser compatibility - in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
 
 ### I do not want to use one of the CAs that Cloudflare partners with. What can I do?
 
 If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice.
 
+### I am missing the CAs that Cloudflare uses in my trust store. What should I do?
+
+You can use Cloudflare [CFSSL trust store](https://github.com/cloudflare/cfssl_trust), which includes all of the CAs that are used by Cloudflare managed certificates.
+
+---
+
+## CAA records
+
+### What is CAA and how can I create one?
+
+<Render file="caa-records-definition" product="ssl" /> <br />
+
+For more details, refer to [Create CAA records](/ssl/edge-certificates/caa-records/).
+
+### How does Cloudflare evaluate CAA records?
+
+CAA records are evaluated by a CA, not by Cloudflare. For details, refer to [RFC 8659](https://www.rfc-editor.org/rfc/rfc8659.html#name-relevant-resource-record-se).
+
+Setting a CAA record to specify one or more particular CAs does not affect which CA Cloudflare uses to issue universal or advanced certificates for your domain. If you wish, you can specify CAs associated with Cloudflare certificates when [ordering an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/).
+
+### What are the dangers of setting CAA records?
+
+If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, [include CAA records](/ssl/edge-certificates/caa-records/) that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.
+
 ### What CAA records do I need in order to allow issuance from Cloudflare CAs?
 
 You can find CAA records associated with every Cloudflare CA in the [certificate authorities reference page](/ssl/reference/certificate-authorities/#caa-records). If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf.
 
-### I am missing the CAs that Cloudflare uses in my trust store. What should I do?
-
-You can use Cloudflare [CFSSL trust store](https://github.com/cloudflare/cfssl_trust), which includes all of the CAs that are used by Cloudflare managed certificates.
+---
 
 ## Universal SSL
 
@@ -67,12 +89,4 @@ If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl
 
 ### Does Cloudflare issue both RSA and ECDSA certificates for Universal certificates?
 
-Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.
-
-## Advanced Certificate Manager
-
-### How can I choose which CA will be used for my certificates?
-
-When [ordering an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/), you can choose the CA through the UI or API.
-
-[Total TLS](/ssl/edge-certificates/additional-options/total-tls/) allows you to get full certificate coverage. When enabling Total TLS, you can choose the CA that will be used for all Total TLS certificates.
+Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.
\ No newline at end of file
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx
index b9560c3dc3666b..75df2e71fed631 100644
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx
+++ b/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx
@@ -3,35 +3,3 @@ pcx_content_type: faq
 source: https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ
 title: Certification Authority Authorization (CAA) FAQ
 ---
-
-import { Render } from "~/components";
-
-The following page answers common questions about Certification Authority Authorization (CAA) records.
-
----
-
-## What is CAA and how can I create one?
-
-<Render file="caa-records-definition" product="ssl" /> <br />
-
-For more details, refer to [Create CAA records](/ssl/edge-certificates/caa-records/).
-
----
-
-## How does Cloudflare evaluate CAA records?
-
-CAA records are evaluated by a CA, not by Cloudflare. For details, refer to [RFC 8659](https://www.rfc-editor.org/rfc/rfc8659.html#name-relevant-resource-record-se).
-
-Setting a CAA record to specify one or more particular CAs does not affect which CA Cloudflare uses to issue universal or advanced certificates for your domain. If you wish, you can specify CAs associated with Cloudflare certificates when [ordering an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/).
-
----
-
-## What are the dangers of setting CAA records?
-
-If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, [include CAA records](/ssl/edge-certificates/caa-records/) that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.
-
----
-
-## What CAA records are added by Cloudflare?
-
-<Render file="caa-records-added-by-cf" product="ssl" />

From 79e451f85dab6392f72aefe06c9a6859741a8ff1 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Mon, 23 Feb 2026 19:11:03 +0000
Subject: [PATCH 07/12] AI-assisted: re-arrange pages and create redirects

---
 public/__redirects                                   |  7 +++++--
 .../reference/troubleshooting.mdx                    |  2 +-
 .../saas-customers/provider-guides/render.mdx        |  2 +-
 .../saas-customers/provider-guides/wpengine.mdx      |  2 +-
 .../docs/fundamentals/reference/troubleshooting.mdx  |  4 ++--
 .../docs/pages/configuration/custom-domains.mdx      |  2 +-
 .../troubleshooting/caa-records.mdx                  |  5 -----
 .../troubleshooting/ca-faq.mdx => faq.mdx}           | 12 +++++-------
 src/content/docs/ssl/troubleshooting/faq.mdx         | 11 -----------
 .../configure-cloudflare-and-heroku-over-https.mdx   |  4 ++--
 .../troubleshooting/samesite-cookie-interaction.mdx  |  6 +++---
 11 files changed, 21 insertions(+), 36 deletions(-)
 delete mode 100644 src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx
 rename src/content/docs/ssl/{edge-certificates/troubleshooting/ca-faq.mdx => faq.mdx} (95%)
 delete mode 100644 src/content/docs/ssl/troubleshooting/faq.mdx

diff --git a/public/__redirects b/public/__redirects
index 759b6b56687dfd..da9a2694284535 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -1386,9 +1386,12 @@
 /ssl/reference/migration-guides/dcv-update/ /ssl/reference/migration-guides/ 301
 /ssl/reference/validation-backoff-schedule/ /ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/ 301
 /ssl/universal-ssl/changing-dcv-method/ /ssl/edge-certificates/changing-dcv-method/ 301
-/support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/edge-certificates/troubleshooting/caa-records/ 301
+/support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/faq/ 301
 /support/ssl-tls/troubleshooting/troubleshooting-ssl-errors/ /ssl/troubleshooting/general-ssl-errors/ 301
 /support/ssl-tls/troubleshooting/you-have-reached-your-quota-for-the-requested-resource.-code-2005/ /ssl/edge-certificates/custom-certificates/troubleshooting/ 301
+/ssl/edge-certificates/troubleshooting/ca-faq/ /ssl/faq/ 301
+/ssl/edge-certificates/troubleshooting/caa-records/ /ssl/faq/ 301
+/ssl/troubleshooting/faq/ /ssl/faq/ 301
 
 # cloudflare for saas
 /ssl/ssl-for-saas/status-codes/custom-hostnames/ /cloudflare-for-platforms/cloudflare-for-saas/reference/status-codes/custom-hostnames/ 301
@@ -1492,7 +1495,7 @@
 /support/network/understanding-network-error-logging/ /network-error-logging/ 301
 /support/network/understanding-the-true-client-ip-header/ /network/true-client-ip-header/ 301
 /support/partners/partner-plugin-supportability/ /support/ 301
-/support/ssl-tls/faq-and-reference/ssl-faq/ /ssl/troubleshooting/faq/ 301
+/support/ssl-tls/faq-and-reference/ssl-faq/ /ssl/faq/ 301
 /support/third-party-software/content-management-system-cms/using-cloudflare-with-bigcommerce/ /cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/bigcommerce/ 301
 /support/third-party-software/content-management-system-cms/how-do-i-add-a-wordpress.com-custom-domain-mapping-site-to-cloudflare/ /support/third-party-software/content-management-system-cms/wordpresscom-and-cloudflare/ 301
 /support/third-party-software/content-management-system-cms/how-do-i-use-wordpress-multi-site-wpmu-with-cloudflare/ /automatic-platform-optimization/ 301
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
index 0b6fc1ec0cbe78..1b65afa90a37d1 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
@@ -82,7 +82,7 @@ example.com CAA 0 issue "ssl.com"
 example.com CAA 0 issuewild "ssl.com"
 ```
 
-More details can be found on the [CAA records FAQ](/ssl/edge-certificates/troubleshooting/caa-records/).
+More details can be found on the [CAA records FAQ](/ssl/faq/#caa-records).
 
 ***
 
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
index 5092172ee7a695..2b5673af78cfa5 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
@@ -84,4 +84,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you have a `CAA` record, verify that it permits SSL certificates to be issued by Google Trust Services (`pki.goog`).
 
-For more details, refer to [CAA records](/ssl/edge-certificates/troubleshooting/caa-records/#what-caa-records-are-added-by-cloudflare).
+For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/#caa-records-added-by-cloudflare).
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
index 0ef3b1d26f253e..dd184455f353aa 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
@@ -74,4 +74,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you do have a `CAA` record, check that it permits SSL certificates to be issued by `letsencrypt.org`.
 
-For more details, refer to [CAA records](/ssl/edge-certificates/troubleshooting/caa-records/#what-caa-records-are-added-by-cloudflare).
+For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/#caa-records-added-by-cloudflare).
diff --git a/src/content/docs/fundamentals/reference/troubleshooting.mdx b/src/content/docs/fundamentals/reference/troubleshooting.mdx
index 5a1623f508b4e9..83add7a9e9614b 100644
--- a/src/content/docs/fundamentals/reference/troubleshooting.mdx
+++ b/src/content/docs/fundamentals/reference/troubleshooting.mdx
@@ -41,14 +41,14 @@ When you [set up Cloudflare](/fundamentals/account/), you may experience the fol
 ## General resources
 
 * [DNS FAQ](/dns/faq/)
-* [SSL/TLS FAQ](/ssl/troubleshooting/faq/)
+* [SSL/TLS FAQ](/ssl/faq/)
 
 ## Is Cloudflare attacking me
 
 Two common scenarios falsely lead to the perception that Cloudflare is attacking your site:
 
 * Unless you [restore the original visitor IP addresses](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/), Cloudflare IP addresses appear in your server logs for all proxied requests.
-* The attacker is spoofing Cloudflare's IPs. Cloudflare only [sends traffic to your origin web server over a few specific ports](/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](/spectrum/).
+* The attacker is spoofing Cloudflare's IPs. Cloudflare only [ sends traffic to your origin web server over a few specific ports](/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](/spectrum/).
 
 Ideally, because Cloudflare is a reverse proxy, your hosting provider observes attack traffic connecting from [Cloudflare IP addresses](https://www.cloudflare.com/ips/). In contrast, if you notice connections from IP addresses that do not belong to Cloudflare, the attack is direct to your origin web server. Cloudflare cannot stop attacks directly to your origin IP address because the traffic bypasses Cloudflare's network.
 
diff --git a/src/content/docs/pages/configuration/custom-domains.mdx b/src/content/docs/pages/configuration/custom-domains.mdx
index 75fcc6331caf46..85046ca6615854 100644
--- a/src/content/docs/pages/configuration/custom-domains.mdx
+++ b/src/content/docs/pages/configuration/custom-domains.mdx
@@ -102,7 +102,7 @@ example.com.            300     IN      CAA     0 issuewild "pki.goog; cansignht
 example.com.            300     IN      CAA     0 issuewild "ssl.com"
 ```
 
-Refer to the [Certification Authority Authorization (CAA) FAQ](/ssl/edge-certificates/troubleshooting/caa-records/) for more information.
+Refer to the [Certification Authority Authorization (CAA) FAQ](/ssl/faq/#caa-records) for more information.
 
 ### Change DNS entry away from Pages and then back again
 
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx
deleted file mode 100644
index 75df2e71fed631..00000000000000
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/caa-records.mdx
+++ /dev/null
@@ -1,5 +0,0 @@
----
-pcx_content_type: faq
-source: https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ
-title: Certification Authority Authorization (CAA) FAQ
----
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx b/src/content/docs/ssl/faq.mdx
similarity index 95%
rename from src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
rename to src/content/docs/ssl/faq.mdx
index d6dcf7ab1ace8c..7b3c2799803c09 100644
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
+++ b/src/content/docs/ssl/faq.mdx
@@ -1,12 +1,10 @@
 ---
 pcx_content_type: faq
-title: CAs and certificates FAQ
-head:
-  - tag: title
-    content: CAs and edge certificates FAQ
+title: FAQ
 description: Get answers to commonly asked questions about the certificates you
   can obtain through Cloudflare and the CAs that Cloudflare partners with.
-
+sidebar:
+  order: 23
 ---
 
 import { Render } from "~/components";
@@ -61,7 +59,7 @@ You can use Cloudflare [CFSSL trust store](https://github.com/cloudflare/cfssl_t
 
 <Render file="caa-records-definition" product="ssl" /> <br />
 
-For more details, refer to [Create CAA records](/ssl/edge-certificates/caa-records/).
+For more details, refer to [Add CAA records](/ssl/edge-certificates/caa-records/).
 
 ### How does Cloudflare evaluate CAA records?
 
@@ -89,4 +87,4 @@ If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl
 
 ### Does Cloudflare issue both RSA and ECDSA certificates for Universal certificates?
 
-Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.
\ No newline at end of file
+Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.
diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx
deleted file mode 100644
index 786cd7c55b15e2..00000000000000
--- a/src/content/docs/ssl/troubleshooting/faq.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-pcx_content_type: faq
-title: FAQ
-head:
-  - tag: title
-    content: General FAQ
-
----
-
-import { GlossaryTooltip } from "~/components"
-
diff --git a/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx b/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
index 62320c7ba759e3..5c55fd3d6729c6 100644
--- a/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
+++ b/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
@@ -92,11 +92,11 @@ Cloudflare provides a SANs wildcard certificate with all paid plans, and a SNI w
 
 If you don't know what this means, navigate to the **Overview** tab of the **SSL/TLS** app in your Cloudflare dashboard. Select *Flexible* mode to serve your site over HTTPS to all public visitors.
 
-Once the certificate status changes to **• Active Certificate**, incoming traffic will be served to your site over HTTPS (e.g., visitors will see HTTPS prefixed to your domain name in the browser bar).
+Once the certificate status changes to **• Active Certificate**, incoming traffic will be served to your site over HTTPS (eg, visitors will see HTTPS prefixed to your domain name in the browser bar).
 
 ### Step 4b - Force all traffic over HTTPS
 
-To ensure all traffic to your site is encrypted, Cloudflare lets you force an automatic HTTPS redirect.  To configure this, consult: [How do I redirect all visitors to HTTPS/SSL?](/ssl/troubleshooting/faq/#how-do-i-redirect-all-visitors-to-httpsssl)
+To ensure all traffic to your site is encrypted, Cloudflare lets you force an automatic HTTPS redirect.  To configure this, consult: [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)
 
 You can then use a cURL command to verify that all requests are being forced over HTTPS.
 
diff --git a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
index 8ab2817f251e91..5211341533b5d5 100644
--- a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
+++ b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx
@@ -64,7 +64,7 @@ Cloudflare uses `SameSite=None` in the `cf_clearance` cookie so that visitor req
 
 Using the `Secure` flag requires sending the cookie via an HTTPS connection. If you use HTTP on any part of your website, the `cf_clearance` cookie defaults to `SameSite=Lax`, which may cause your website not to function properly.
 
-To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two features for this purpose: 
+To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two features for this purpose:
 
 - [Automatic HTTPS Rewrites](/ssl/edge-certificates/additional-options/automatic-https-rewrites/)
 - [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)
@@ -73,8 +73,8 @@ To resolve the issue, move your website traffic to HTTPS. Cloudflare offers two
 
 ## Related resources
 
-- [SameSite cookies explained](https://web.dev/samesite-cookies-explained/) 
+- [SameSite cookies explained](https://web.dev/samesite-cookies-explained/)
 - [Cloudflare Cookies](/fundamentals/reference/policies-compliances/cloudflare-cookies/)
-- [Cloudflare SSL FAQ](/ssl/troubleshooting/faq/)
+- [Cloudflare SSL FAQ](/ssl/faq/)
 - [Automatic HTTPS Rewrites](/ssl/edge-certificates/additional-options/automatic-https-rewrites/)
 - [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)

From 53956fa3c49e85970854a56d07206635dc50b165 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Mon, 23 Feb 2026 19:15:03 +0000
Subject: [PATCH 08/12] Delete remaining empty folder and add redirect

---
 public/__redirects                            |  1 +
 .../troubleshooting/index.mdx                 | 20 -------------------
 2 files changed, 1 insertion(+), 20 deletions(-)
 delete mode 100644 src/content/docs/ssl/edge-certificates/troubleshooting/index.mdx

diff --git a/public/__redirects b/public/__redirects
index da9a2694284535..024eb1ca6db107 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -1380,6 +1380,7 @@
 /ssl/edge-certificates/disable-weak-cipher-suites/ /ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/ 301
 /ssl/edge-certificates/http-strict-transport-security/ /ssl/edge-certificates/additional-options/http-strict-transport-security/ 301
 /ssl/edge-certificates/uploading/ /ssl/edge-certificates/custom-certificates/uploading/ 301
+/ssl/edge-certificates/troubleshooting/ /ssl/troubleshooting/ 301
 /ssl/reference/cipher-suites/custom-certificates/ /ssl/edge-certificates/custom-certificates/#certificate-packs 301
 /ssl/reference/cipher-suites/matching-on-origin/ /ssl/origin-configuration/cipher-suites/#match-on-origin 301
 /ssl/reference/migration-guides/lets-encrypt-chain/ /ssl/reference/certificate-authorities/#lets-encrypt 301
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/index.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/index.mdx
deleted file mode 100644
index 79e419686914f0..00000000000000
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/index.mdx
+++ /dev/null
@@ -1,20 +0,0 @@
----
-pcx_content_type: navigation
-title: Troubleshooting
-sidebar:
-  order: 12
-  group:
-    hideIndex: true
-head:
-  - tag: title
-    content: Troubleshooting edge certificates
-
----
-
-import { DirectoryListing } from "~/components"
-
-Learn more about troubleshooting issues with your edge certificates:
-
-<DirectoryListing />
-
-* [Troubleshooting domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/troubleshooting/)

From 4381333603a71f9f93b1b3dca38bdefa596b3e6e Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Tue, 24 Feb 2026 11:03:49 +0000
Subject: [PATCH 09/12] Text adjustments and overall review of new FAQ page

---
 src/content/docs/ssl/faq.mdx | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/content/docs/ssl/faq.mdx b/src/content/docs/ssl/faq.mdx
index 7b3c2799803c09..88de1c0614fec3 100644
--- a/src/content/docs/ssl/faq.mdx
+++ b/src/content/docs/ssl/faq.mdx
@@ -11,6 +11,8 @@ import { Render } from "~/components";
 
 Refer to this page for frequently asked questions about Cloudflare SSL/TLS certificate offerings and the CAs that Cloudflare partners with.
 
+---
+
 ## General
 
 ### Does Cloudflare issue both RSA and ECDSA certificates?
@@ -41,15 +43,15 @@ Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-cer
 
 ### Are there any CA limitations I should know about?
 
-You can find a list of limitations for every CA in our pipeline - as well as information about device and browser compatibility - in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
+Refer to the [certificate authorities reference page](/ssl/reference/certificate-authorities/) for a list of limitations for every CA in our pipeline. There you can also find information about device and browser compatibility.
 
-### I do not want to use one of the CAs that Cloudflare partners with. What can I do?
+### I do not want to use the CAs that Cloudflare partners with. What can I do?
 
 If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice.
 
 ### I am missing the CAs that Cloudflare uses in my trust store. What should I do?
 
-You can use Cloudflare [CFSSL trust store](https://github.com/cloudflare/cfssl_trust), which includes all of the CAs that are used by Cloudflare managed certificates.
+You can use [CFSSL trust store](https://github.com/cloudflare/cfssl_trust), which includes all of the CAs that are used by Cloudflare managed certificates.
 
 ---
 

From 73a940b5817ef7e5768ce870d4871d3298843a53 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Tue, 24 Feb 2026 11:22:50 +0000
Subject: [PATCH 10/12] Overall review and more precise about caa-records
 redirects

---
 public/__redirects                                            | 4 ++--
 .../cloudflare-for-saas/reference/troubleshooting.mdx         | 2 +-
 .../saas-customers/provider-guides/render.mdx                 | 2 +-
 .../saas-customers/provider-guides/wpengine.mdx               | 2 +-
 src/content/docs/fundamentals/reference/troubleshooting.mdx   | 4 ++--
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/public/__redirects b/public/__redirects
index 024eb1ca6db107..3291bb7173e124 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -1387,11 +1387,11 @@
 /ssl/reference/migration-guides/dcv-update/ /ssl/reference/migration-guides/ 301
 /ssl/reference/validation-backoff-schedule/ /ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/ 301
 /ssl/universal-ssl/changing-dcv-method/ /ssl/edge-certificates/changing-dcv-method/ 301
-/support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/faq/ 301
+/support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/faq/#caa-records 301
 /support/ssl-tls/troubleshooting/troubleshooting-ssl-errors/ /ssl/troubleshooting/general-ssl-errors/ 301
 /support/ssl-tls/troubleshooting/you-have-reached-your-quota-for-the-requested-resource.-code-2005/ /ssl/edge-certificates/custom-certificates/troubleshooting/ 301
 /ssl/edge-certificates/troubleshooting/ca-faq/ /ssl/faq/ 301
-/ssl/edge-certificates/troubleshooting/caa-records/ /ssl/faq/ 301
+/ssl/edge-certificates/troubleshooting/caa-records/ /ssl/faq/#caa-records 301
 /ssl/troubleshooting/faq/ /ssl/faq/ 301
 
 # cloudflare for saas
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
index 1b65afa90a37d1..f3a31049a8c731 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
@@ -82,7 +82,7 @@ example.com CAA 0 issue "ssl.com"
 example.com CAA 0 issuewild "ssl.com"
 ```
 
-More details can be found on the [CAA records FAQ](/ssl/faq/#caa-records).
+For more details, refer to [CAA records FAQ](/ssl/faq/#caa-records).
 
 ***
 
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
index 2b5673af78cfa5..2d30dd60422e66 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx
@@ -84,4 +84,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you have a `CAA` record, verify that it permits SSL certificates to be issued by Google Trust Services (`pki.goog`).
 
-For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/#caa-records-added-by-cloudflare).
+For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/).
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
index dd184455f353aa..95463f822c44ea 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
@@ -74,4 +74,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you do have a `CAA` record, check that it permits SSL certificates to be issued by `letsencrypt.org`.
 
-For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/#caa-records-added-by-cloudflare).
+For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/).
diff --git a/src/content/docs/fundamentals/reference/troubleshooting.mdx b/src/content/docs/fundamentals/reference/troubleshooting.mdx
index 83add7a9e9614b..802b8456821b57 100644
--- a/src/content/docs/fundamentals/reference/troubleshooting.mdx
+++ b/src/content/docs/fundamentals/reference/troubleshooting.mdx
@@ -47,8 +47,8 @@ When you [set up Cloudflare](/fundamentals/account/), you may experience the fol
 
 Two common scenarios falsely lead to the perception that Cloudflare is attacking your site:
 
-* Unless you [restore the original visitor IP addresses](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/), Cloudflare IP addresses appear in your server logs for all proxied requests.
-* The attacker is spoofing Cloudflare's IPs. Cloudflare only [ sends traffic to your origin web server over a few specific ports](/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](/spectrum/).
+* Unless you [restore the original visitor IP addresses](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/), Cloudflare IP addresses appear in your server logs for all proxied requests.
+* The attacker is spoofing Cloudflare's IPs. Cloudflare only [sends traffic to your origin web server over a few specific ports](/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](/spectrum/).
 
 Ideally, because Cloudflare is a reverse proxy, your hosting provider observes attack traffic connecting from [Cloudflare IP addresses](https://www.cloudflare.com/ips/). In contrast, if you notice connections from IP addresses that do not belong to Cloudflare, the attack is direct to your origin web server. Cloudflare cannot stop attacks directly to your origin IP address because the traffic bypasses Cloudflare's network.
 

From 97e39407526d9265d7629f408c05b176f1b63e23 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com>
Date: Tue, 24 Feb 2026 12:31:45 +0000
Subject: [PATCH 11/12] Adjust link to match page title

Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
---
 .../saas-customers/provider-guides/wpengine.mdx                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
index 95463f822c44ea..4a7d4597dba598 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx
@@ -74,4 +74,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you do have a `CAA` record, check that it permits SSL certificates to be issued by `letsencrypt.org`.
 
-For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/).
+For more details, refer to [Add CAA records](/ssl/edge-certificates/caa-records/).

From d984f21c37ecc6c9f1efba8b3f1077d3af8c4871 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 24 Feb 2026 12:48:09 +0000
Subject: [PATCH 12/12] Apply suggestions from PCX review

---
 src/content/docs/ssl/faq.mdx                                 | 5 +++--
 .../others/configure-cloudflare-and-heroku-over-https.mdx    | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/content/docs/ssl/faq.mdx b/src/content/docs/ssl/faq.mdx
index 88de1c0614fec3..3b07b8ca622e06 100644
--- a/src/content/docs/ssl/faq.mdx
+++ b/src/content/docs/ssl/faq.mdx
@@ -1,9 +1,10 @@
 ---
 pcx_content_type: faq
-title: FAQ
+title: SSL/TLS FAQ
 description: Get answers to commonly asked questions about the certificates you
   can obtain through Cloudflare and the CAs that Cloudflare partners with.
 sidebar:
+  label: FAQ
   order: 23
 ---
 
@@ -73,7 +74,7 @@ Setting a CAA record to specify one or more particular CAs does not affect which
 
 If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, [include CAA records](/ssl/edge-certificates/caa-records/) that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.
 
-### What CAA records do I need in order to allow issuance from Cloudflare CAs?
+### What CAA records do I need to allow issuance from Cloudflare CAs?
 
 You can find CAA records associated with every Cloudflare CA in the [certificate authorities reference page](/ssl/reference/certificate-authorities/#caa-records). If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf.
 
diff --git a/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx b/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
index 5c55fd3d6729c6..e2b23fb5e20b66 100644
--- a/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
+++ b/src/content/docs/support/third-party-software/others/configure-cloudflare-and-heroku-over-https.mdx
@@ -92,11 +92,11 @@ Cloudflare provides a SANs wildcard certificate with all paid plans, and a SNI w
 
 If you don't know what this means, navigate to the **Overview** tab of the **SSL/TLS** app in your Cloudflare dashboard. Select *Flexible* mode to serve your site over HTTPS to all public visitors.
 
-Once the certificate status changes to **• Active Certificate**, incoming traffic will be served to your site over HTTPS (eg, visitors will see HTTPS prefixed to your domain name in the browser bar).
+Once the certificate status changes to **• Active Certificate**, incoming traffic will be served to your site over HTTPS. Visitors will see HTTPS prefixed to your domain name in the browser bar.
 
 ### Step 4b - Force all traffic over HTTPS
 
-To ensure all traffic to your site is encrypted, Cloudflare lets you force an automatic HTTPS redirect.  To configure this, consult: [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/)
+To ensure all traffic to your site is encrypted, Cloudflare lets you force an automatic HTTPS redirect. To configure this, refer to [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/).
 
 You can then use a cURL command to verify that all requests are being forced over HTTPS.