[SSL] Review FAQ

public/__redirects

@@ -1380,15 +1380,19 @@
 /ssl/edge-certificates/disable-weak-cipher-suites/ /ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/ 301
 /ssl/edge-certificates/http-strict-transport-security/ /ssl/edge-certificates/additional-options/http-strict-transport-security/ 301
 /ssl/edge-certificates/uploading/ /ssl/edge-certificates/custom-certificates/uploading/ 301
+/ssl/edge-certificates/troubleshooting/ /ssl/troubleshooting/ 301
 /ssl/reference/cipher-suites/custom-certificates/ /ssl/edge-certificates/custom-certificates/#certificate-packs 301
 /ssl/reference/cipher-suites/matching-on-origin/ /ssl/origin-configuration/cipher-suites/#match-on-origin 301
 /ssl/reference/migration-guides/lets-encrypt-chain/ /ssl/reference/certificate-authorities/#lets-encrypt 301
 /ssl/reference/migration-guides/dcv-update/ /ssl/reference/migration-guides/ 301
 /ssl/reference/validation-backoff-schedule/ /ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/ 301
 /ssl/universal-ssl/changing-dcv-method/ /ssl/edge-certificates/changing-dcv-method/ 301
-/support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/edge-certificates/troubleshooting/caa-records/ 301
+/support/dns/how-to/certification-authority-authorization-caa-faq/ /ssl/faq/#caa-records 301
 /support/ssl-tls/troubleshooting/troubleshooting-ssl-errors/ /ssl/troubleshooting/general-ssl-errors/ 301
 /support/ssl-tls/troubleshooting/you-have-reached-your-quota-for-the-requested-resource.-code-2005/ /ssl/edge-certificates/custom-certificates/troubleshooting/ 301
+/ssl/edge-certificates/troubleshooting/ca-faq/ /ssl/faq/ 301
+/ssl/edge-certificates/troubleshooting/caa-records/ /ssl/faq/#caa-records 301
+/ssl/troubleshooting/faq/ /ssl/faq/ 301
 
 # cloudflare for saas
 /ssl/ssl-for-saas/status-codes/custom-hostnames/ /cloudflare-for-platforms/cloudflare-for-saas/reference/status-codes/custom-hostnames/ 301
@@ -1492,7 +1496,7 @@
 /support/network/understanding-network-error-logging/ /network-error-logging/ 301
 /support/network/understanding-the-true-client-ip-header/ /network/true-client-ip-header/ 301
 /support/partners/partner-plugin-supportability/ /support/ 301
-/support/ssl-tls/faq-and-reference/ssl-faq/ /ssl/troubleshooting/faq/ 301
+/support/ssl-tls/faq-and-reference/ssl-faq/ /ssl/faq/ 301
 /support/third-party-software/content-management-system-cms/using-cloudflare-with-bigcommerce/ /cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/bigcommerce/ 301
 /support/third-party-software/content-management-system-cms/how-do-i-add-a-wordpress.com-custom-domain-mapping-site-to-cloudflare/ /support/third-party-software/content-management-system-cms/wordpresscom-and-cloudflare/ 301
 /support/third-party-software/content-management-system-cms/how-do-i-use-wordpress-multi-site-wpmu-with-cloudflare/ /automatic-platform-optimization/ 301

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx

@@ -82,7 +82,7 @@
 example.com CAA 0 issuewild "ssl.com"
 ```
 
-More details can be found on the [CAA records FAQ](/ssl/edge-certificates/troubleshooting/caa-records/).
+For more details, refer to [CAA records FAQ](/ssl/faq/#caa-records).
 
 ***
 
@@ -96,7 +96,7 @@
 
 ## Older devices have issues connecting
 
 As Let's Encrypt - one of the [certificate authorities (CAs)](/ssl/reference/certificate-authorities/) used by Cloudflare - has announced changes in its [chain of trust](/ssl/concepts/#chain-of-trust), starting September 9, 2024, there may be issues with older devices trying to connect to your custom hostname certificate.
 
 Consider the following solutions:
 

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/render.mdx

@@ -84,4 +84,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you have a `CAA` record, verify that it permits SSL certificates to be issued by Google Trust Services (`pki.goog`).
 
-For more details, refer to [CAA records](/ssl/edge-certificates/troubleshooting/caa-records/#what-caa-records-are-added-by-cloudflare).
+For more details, refer to [CAA records](/ssl/edge-certificates/caa-records/).

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/wpengine.mdx

@@ -74,4 +74,4 @@ If you encounter SSL errors, check if you have a `CAA` record.
 
 If you do have a `CAA` record, check that it permits SSL certificates to be issued by `letsencrypt.org`.
 
-For more details, refer to [CAA records](/ssl/edge-certificates/troubleshooting/caa-records/#what-caa-records-are-added-by-cloudflare).
+For more details, refer to [Add CAA records](/ssl/edge-certificates/caa-records/).

src/content/docs/fundamentals/reference/troubleshooting.mdx

@@ -41,14 +41,14 @@ When you [set up Cloudflare](/fundamentals/account/), you may experience the fol
 ## General resources
 
 * [DNS FAQ](/dns/faq/)
-* [SSL/TLS FAQ](/ssl/troubleshooting/faq/)
+* [SSL/TLS FAQ](/ssl/faq/)
 
 ## Is Cloudflare attacking me
 
 Two common scenarios falsely lead to the perception that Cloudflare is attacking your site:
 
-* Unless you [restore the original visitor IP addresses](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/), Cloudflare IP addresses appear in your server logs for all proxied requests.
-* The attacker is spoofing Cloudflare's IPs. Cloudflare only [sends traffic to your origin web server over a few specific ports](/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](/spectrum/).
+* Unless you [restore the original visitor IP addresses](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/), Cloudflare IP addresses appear in your server logs for all proxied requests.
+* The attacker is spoofing Cloudflare's IPs. Cloudflare only [sends traffic to your origin web server over a few specific ports](/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](/spectrum/).
 
 Ideally, because Cloudflare is a reverse proxy, your hosting provider observes attack traffic connecting from [Cloudflare IP addresses](https://www.cloudflare.com/ips/). In contrast, if you notice connections from IP addresses that do not belong to Cloudflare, the attack is direct to your origin web server. Cloudflare cannot stop attacks directly to your origin IP address because the traffic bypasses Cloudflare's network.
 

src/content/docs/pages/configuration/custom-domains.mdx

@@ -102,7 +102,7 @@ example.com.            300     IN      CAA     0 issuewild "pki.goog; cansignht
 example.com.            300     IN      CAA     0 issuewild "ssl.com"
 ```
 
-Refer to the [Certification Authority Authorization (CAA) FAQ](/ssl/edge-certificates/troubleshooting/caa-records/) for more information.
+Refer to the [Certification Authority Authorization (CAA) FAQ](/ssl/faq/#caa-records) for more information.
 
 ### Change DNS entry away from Pages and then back again
 

src/content/docs/ssl/edge-certificates/index.mdx

@@ -16,6 +16,15 @@ Consider the information below for guidance on how to choose different edge cert
 
 If you are not familiar with what SSL/TLS certificates are, refer to [Concepts](/ssl/concepts/).
 
+:::note
+Occasionally, the Cloudflare dashboard displays a wildcard certificate with only the apex hostname listed (and does not include the wildcard symbol `*`).
+
+This behavior occurs when all of the following conditions are true:
+
+* The zone is on a [subdomain setup](/dns/zone-setups/subdomain-setup/).
+* The certificate has a subject or SAN that is a wildcard for the zone's parent domain.
+:::
+
 ## Use cases
 
 ### Simplify issuance and renewal
@@ -40,4 +49,4 @@ If you already have Advanced Certificate Manager, use the API to set up custom c
 
 If you want to use Cloudflare but manage DNS externally ([partial setup](/dns/zone-setups/partial-setup/)), you may need to perform [domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/) to prove that you have control over your domain before your SSL/TLS certificate can be issued.
 
-To make this process easier and automate DCV at certificate renewal, use [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) and set up [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
+To make this process easier and automate DCV at certificate renewal, use [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) and set up [delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).

src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx

@@ -65,3 +65,12 @@ Due to internal limitations, Universal SSL certificates do not cover [load balan
 ## Browser support
 
 For more on browser support, see [Browser compatibility](/ssl/reference/browser-compatibility/).
+
+## SSL invalid brand check
+
+Some domains are not eligible for Universal SSL if they contain words that conflict with trademarked domains.
+
+To resolve this issue, you can:
+
+* Purchase an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/).
+* Upload your own [custom certificate](/ssl/edge-certificates/custom-certificates/uploading/).

src/content/docs/ssl/faq.mdx

@@ -0,0 +1,93 @@
+---
+pcx_content_type: faq
+title: SSL/TLS FAQ
+description: Get answers to commonly asked questions about the certificates you
+  can obtain through Cloudflare and the CAs that Cloudflare partners with.
+sidebar:
+  label: FAQ
+  order: 23
+---
+
+import { Render } from "~/components";
+
+Refer to this page for frequently asked questions about Cloudflare SSL/TLS certificate offerings and the CAs that Cloudflare partners with.
+
+---
+
+## General
+
+### Does Cloudflare issue both RSA and ECDSA certificates?
+
+Yes. Cloudflare can issue both RSA and ECDSA certificates.
+
+### Are Cloudflare SSL certificates shared?
+
+No. Cloudflare SSL/TLS certificates are not shared across domains nor across customers.
+
+### If I have multiple Cloudflare certificates, which one is used?
+
+Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type. For more details, refer to [Certificate and hostname priority](/ssl/reference/certificate-and-hostname-priority/).
+
+### Why do I see a Cloudflare certificate when an SSL certificate is installed at my website?
+
+Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](/ssl/origin-configuration/ssl-modes/).
+
+---
+
+## Certificate authorities (CAs)
+
+### Which certificate authorities does Cloudflare use?
+
+Cloudflare uses Let's Encrypt, Google Trust Services, SSL.com, and Sectigo. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
+
+Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-certificates/).
+
+### Are there any CA limitations I should know about?
+
+Refer to the [certificate authorities reference page](/ssl/reference/certificate-authorities/) for a list of limitations for every CA in our pipeline. There you can also find information about device and browser compatibility.
+
+### I do not want to use the CAs that Cloudflare partners with. What can I do?
+
+If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice.
+
+### I am missing the CAs that Cloudflare uses in my trust store. What should I do?
+
+You can use [CFSSL trust store](https://github.com/cloudflare/cfssl_trust), which includes all of the CAs that are used by Cloudflare managed certificates.
+
+---
+
+## CAA records
+
+### What is CAA and how can I create one?
+
+<Render file="caa-records-definition" product="ssl" /> <br />
+
+For more details, refer to [Add CAA records](/ssl/edge-certificates/caa-records/).
+
+### How does Cloudflare evaluate CAA records?
+
+CAA records are evaluated by a CA, not by Cloudflare. For details, refer to [RFC 8659](https://www.rfc-editor.org/rfc/rfc8659.html#name-relevant-resource-record-se).
+
+Setting a CAA record to specify one or more particular CAs does not affect which CA Cloudflare uses to issue universal or advanced certificates for your domain. If you wish, you can specify CAs associated with Cloudflare certificates when [ordering an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/).
+
+### What are the dangers of setting CAA records?
+
+If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, [include CAA records](/ssl/edge-certificates/caa-records/) that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.
+
+### What CAA records do I need to allow issuance from Cloudflare CAs?
+
+You can find CAA records associated with every Cloudflare CA in the [certificate authorities reference page](/ssl/reference/certificate-authorities/#caa-records). If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf.
+
+---
+
+## Universal SSL
+
+### I am using Universal SSL and I would like to use a different CA. How can I do that?
+
+To be able to specify a CA, you must purchase [Advanced Certificate Manager](/ssl/edge-certificates/advanced-certificate-manager/). Through Advanced Certificate Manager, you can choose the certificate authority when ordering an advanced certificate or you can choose a default CA when using [Total TLS](/ssl/edge-certificates/additional-options/total-tls/).
+
+If you are on a Business or Enterprise plan, you can [upload a certificate](/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice. In this case, certificate issuance and renewal will have to be managed by you.
+
+### Does Cloudflare issue both RSA and ECDSA certificates for Universal certificates?
+
+Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.

src/content/docs/ssl/get-started.mdx

@@ -49,6 +49,10 @@ Note that some encryption modes will require you to have a valid [origin certifi
 
 <Render file="enforce-https-recommendation" product="ssl" />
 
+## SEO considerations
+
+Using HTTPS can improve user trust and may be used as a ranking signal by search engines. For related guidance, refer to [Improve SEO](/fundamentals/performance/improve-seo/).
+
 ## Optional - Enable additional features
 
 <Render file="get-started-additional-features" product="ssl" />