Skip to content

Clarify Keyless key server auto-generates its certificate#31821

Open
baubuchon-cf wants to merge 1 commit into
productionfrom
keyless-autogen-cert-note
Open

Clarify Keyless key server auto-generates its certificate#31821
baubuchon-cf wants to merge 1 commit into
productionfrom
keyless-autogen-cert-note

Conversation

@baubuchon-cf

Copy link
Copy Markdown
Collaborator

Adds a note to the Activate step: on first start (with hostname, Zone ID, and Origin CA API key set), gokeyless generates its key + CSR and gets the certificate signed automatically — no manual cert creation needed. Addresses T257 / customer feedback.

Summary

Screenshots (optional)

Documentation checklist

  • Is there a changelog entry (guidelines)? If you don't add one for something awesome and new (however small) — how will our customers find out? Changelogs are automatically posted to RSS feeds, the Discord, and X.
  • The change adheres to the documentation style guide.
  • If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
  • Files which have changed name or location have been allocated redirects.

Adds a note to the Activate step: on first start (with hostname, Zone ID, and Origin CA API key set), gokeyless generates its key + CSR and gets the certificate signed automatically — no manual cert creation needed. Addresses T257 / customer feedback.
@baubuchon-cf baubuchon-cf requested a review from a team as a code owner June 30, 2026 22:25
@cloudflare-docs-bot

cloudflare-docs-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review

✅ No issues found in commit e9bb2d9.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

No code review issues found.

Conventions

Checks PR title, description, and redirect checklist.

No convention issues found.

Style Guide Review

No style-guide issues found.

Redirects

No missing redirect entries found.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command Description
/review Runs a review now. Incremental if a prior review exists, full if not.
/full-review Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.
/disable-auto-review Stops automatic reviews from triggering on future pushes to this PR. Codeowners can still run /review or /full-review manually.

@github-actions

Copy link
Copy Markdown
Contributor

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
* @cloudflare/product-owners

@ask-bonk ask-bonk Bot added product:ssl Related to SSL content:edit Request for content edits labels Jun 30, 2026

@ask-bonk ask-bonk Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good clarification. One minor grammar suggestion inline.

Also, please check the relevant items in the documentation checklist in the PR description (e.g., style guide adherence) — several boxes are currently unchecked.


:::note

The first time the key server starts with the hostname, Zone ID, and Origin CA API key set, it automatically generates its own private key and certificate signing request (CSR), submits the CSR to Cloudflare, and saves the signed authentication certificate it presents for mutual TLS. You do not need to create this certificate manually. If those three values are not set, the key server will not start and asks you to set them — or to run it with `--config-only` or `--manual-activation` to generate the key and CSR interactively.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix tense consistency:

Suggested change
The first time the key server starts with the hostname, Zone ID, and Origin CA API key set, it automatically generates its own private key and certificate signing request (CSR), submits the CSR to Cloudflare, and saves the signed authentication certificate it presents for mutual TLS. You do not need to create this certificate manually. If those three values are not set, the key server will not start and asks you to set them — or to run it with `--config-only` or `--manual-activation` to generate the key and CSR interactively.
The first time the key server starts with the hostname, Zone ID, and Origin CA API key set, it automatically generates its own private key and certificate signing request (CSR), submits the CSR to Cloudflare, and saves the signed authentication certificate it presents for mutual TLS. You do not need to create this certificate manually. If those three values are not set, the key server will not start and will ask you to set them — or to run it with `--config-only` or `--manual-activation` to generate the key and CSR interactively.

@ask-bonk

ask-bonk Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Reviewed PR #31821.

Summary: This PR adds a helpful clarification to the Keyless SSL key server setup partial (src/content/partials/ssl/keyless-key-server-setup.mdx), explaining that gokeyless automatically generates its own private key and CSR on first start (when hostname, Zone ID, and Origin CA API key are configured) and obtains the signed certificate without manual intervention.

Labels applied: product:ssl, content:edit

Issues flagged:

  • LOW — Inline suggestion on the note text: mixed tenses ("will not start and asks" → "will not start and will ask").
  • Note — The documentation checklist items in the PR description are all unchecked; the author should check the ones that apply (e.g., style guide adherence).

No build-breaking MDX issues, frontmatter problems, or incorrect links were found. The addition uses the correct admonition syntax (:::note) consistent with the existing partial.

github run

@github-actions

Copy link
Copy Markdown
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

content:edit Request for content edits product:ssl Related to SSL size/xs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant