From e9bb2d9a7367ed65c297574786acbc250b28da2f Mon Sep 17 00:00:00 2001 From: Bryan AuBuchon Date: Tue, 30 Jun 2026 18:19:24 -0400 Subject: [PATCH] Clarify Keyless key server auto-generates its certificate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a note to the Activate step: on first start (with hostname, Zone ID, and Origin CA API key set), gokeyless generates its key + CSR and gets the certificate signed automatically — no manual cert creation needed. Addresses T257 / customer feedback. --- src/content/partials/ssl/keyless-key-server-setup.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/content/partials/ssl/keyless-key-server-setup.mdx b/src/content/partials/ssl/keyless-key-server-setup.mdx index dcce2048312..a5e6cb0f98f 100644 --- a/src/content/partials/ssl/keyless-key-server-setup.mdx +++ b/src/content/partials/ssl/keyless-key-server-setup.mdx @@ -163,4 +163,10 @@ To activate, restart your keyless instance: - systemd: `sudo service gokeyless restart` - upstart/sysvinit: `sudo /etc/init.d/gokeyless restart` +:::note + +The first time the key server starts with the hostname, Zone ID, and Origin CA API key set, it automatically generates its own private key and certificate signing request (CSR), submits the CSR to Cloudflare, and saves the signed authentication certificate it presents for mutual TLS. You do not need to create this certificate manually. If those three values are not set, the key server will not start and asks you to set them — or to run it with `--config-only` or `--manual-activation` to generate the key and CSR interactively. + +::: + If this command fails, try troubleshooting by [checking the logs](/ssl/keyless-ssl/troubleshooting/).