From e9bb2d9a7367ed65c297574786acbc250b28da2f Mon Sep 17 00:00:00 2001 From: Bryan AuBuchon Date: Tue, 30 Jun 2026 18:19:24 -0400 Subject: [PATCH 1/2] Clarify Keyless key server auto-generates its certificate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a note to the Activate step: on first start (with hostname, Zone ID, and Origin CA API key set), gokeyless generates its key + CSR and gets the certificate signed automatically — no manual cert creation needed. Addresses T257 / customer feedback. --- src/content/partials/ssl/keyless-key-server-setup.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/content/partials/ssl/keyless-key-server-setup.mdx b/src/content/partials/ssl/keyless-key-server-setup.mdx index dcce2048312..a5e6cb0f98f 100644 --- a/src/content/partials/ssl/keyless-key-server-setup.mdx +++ b/src/content/partials/ssl/keyless-key-server-setup.mdx @@ -163,4 +163,10 @@ To activate, restart your keyless instance: - systemd: `sudo service gokeyless restart` - upstart/sysvinit: `sudo /etc/init.d/gokeyless restart` +:::note + +The first time the key server starts with the hostname, Zone ID, and Origin CA API key set, it automatically generates its own private key and certificate signing request (CSR), submits the CSR to Cloudflare, and saves the signed authentication certificate it presents for mutual TLS. You do not need to create this certificate manually. If those three values are not set, the key server will not start and asks you to set them — or to run it with `--config-only` or `--manual-activation` to generate the key and CSR interactively. + +::: + If this command fails, try troubleshooting by [checking the logs](/ssl/keyless-ssl/troubleshooting/). From c93f0982b69d5630162239a36021c386263669f3 Mon Sep 17 00:00:00 2001 From: Bryan AuBuchon Date: Thu, 2 Jul 2026 13:26:45 -0400 Subject: [PATCH 2/2] Update src/content/partials/ssl/keyless-key-server-setup.mdx Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com> --- src/content/partials/ssl/keyless-key-server-setup.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/ssl/keyless-key-server-setup.mdx b/src/content/partials/ssl/keyless-key-server-setup.mdx index a5e6cb0f98f..5e00da0f779 100644 --- a/src/content/partials/ssl/keyless-key-server-setup.mdx +++ b/src/content/partials/ssl/keyless-key-server-setup.mdx @@ -165,7 +165,7 @@ To activate, restart your keyless instance: :::note -The first time the key server starts with the hostname, Zone ID, and Origin CA API key set, it automatically generates its own private key and certificate signing request (CSR), submits the CSR to Cloudflare, and saves the signed authentication certificate it presents for mutual TLS. You do not need to create this certificate manually. If those three values are not set, the key server will not start and asks you to set them — or to run it with `--config-only` or `--manual-activation` to generate the key and CSR interactively. +The first time the key server starts with the hostname, Zone ID, and Origin CA API key set, it automatically generates its own private key and certificate signing request (CSR), submits the CSR to Cloudflare, and saves the signed authentication certificate it presents for mutual TLS. You do not need to create this certificate manually. If those three values are not set, the key server will not start and will ask you to set them — or to run it with `--config-only` or `--manual-activation` to generate the key and CSR interactively. :::