[ZT] WARP client certificate check (#14968)

* add additional features

* apply review feedback

* Update content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md

Co-authored-by: Andreas <aweinlein@cloudflare.com>

* Update content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md

Co-authored-by: Andreas <aweinlein@cloudflare.com>

* Windows local machine trust store commnd

* tweak wording

* remove Linux

* add Linux instructions

* add note about legacy support

* Update content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md

---------

Co-authored-by: Andreas <aweinlein@cloudflare.com>

content/cloudflare-one/identity/devices/warp-client-checks/_index.md

@@ -20,7 +20,7 @@ These device posture checks are performed by the [Cloudflare WARP client](/cloud
 | ---------------------| ----- | ------- | ----- | --- | ---------------- |
 | [Application check](/cloudflare-one/identity/devices/warp-client-checks/application-check/) | ✅ | ✅ | ✅ | ❌ | ❌ |
 | [Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/) | ✅ | ✅ | ✅ | ❌ | ❌ |
-| [Client certificate](/cloudflare-one/identity/devices/warp-client-checks/client-certificate/) | ✅ | ✅ | ✅ | ❌ | ❌ |
+| [Client certificate](/cloudflare-one/identity/devices/warp-client-checks/client-certificate/) | ✅ | ✅ | Coming soon | ❌ | ❌ |
 | [Device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) | ✅ | ✅ | ✅ | ❌ | ❌ |
 | [Device UUID](/cloudflare-one/identity/devices/warp-client-checks/device-uuid/) | ❌ | ❌ | ❌ | ✅ | ✅ |
 | [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/) | ✅ | ✅ | ✅ | ❌ | ❌ |

content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md

@@ -8,16 +8,33 @@ weight: 3
 
 The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.
 
+{{<details header="Feature availability">}}
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| -- | -- |
+| All modes | All plans  |
+
+| System   | Availability | Minimum WARP version<sup>1</sup> |
+| ---------| -------------| ---------------------|
+| Windows  | ✅           | 2024.6.415.0 |
+| macOS    | ✅           | 2024.6.416.0 |
+| Linux    | Coming soon  |    |
+| iOS      | ❌           |   |
+| Android  | ❌           |   |
+| ChromeOS | ❌           |   |
+
+<sup>1</sup> Client certificate checks that ran on an earlier WARP version will continue to work. To configure a new certificate check, update WARP to the versions listed above.
+{{</details>}}
+
 ## Prerequisites
 
-- A root CA that issues client certificates for your devices. You can use the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) to generate a sample root CA for testing.
-- {{<render file="posture/_prereqs-warp-is-deployed.md" withParameters="[WARP client checks](/cloudflare-one/identity/devices/warp-client-checks/)">}}
+- A CA that issues client certificates for your devices. WARP does not evaluate the certificate trust chain; this needs to be the issuing certificate.
+- Cloudflare WARP client is [deployed](/cloudflare-one/connections/connect-devices/warp/deployment/) on the device.
 - A client certificate is [installed and trusted](#how-warp-checks-for-a-client-certificate) on the device.
-  | System  | Certificate store    |
-  | ------- | -------------------- |
-  | macOS   | System Keychain      |
-  | Windows | `Current User\Personal` store |
-  | Linux   | NSSDB                |
+
+{{<Aside type="note">}}
+You can use the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) to generate a sample root CA for testing.
+{{</Aside>}}
 
 ## Configure the client certificate check
 
@@ -33,8 +50,16 @@ The Client Certificate device posture attribute checks if the device has a valid
 
    1. **Name**: Enter a unique name for this device posture check.
    2. **Operating system**: Select your operating system.
-   3. **Certificate ID**: Enter the UUID of the root CA.
-   4. **Common name**: Enter the common name of the client certificate (not the root CA).
+   3. **OS locations**: Specify the location(s) where the client certificate is installed.
+| System  | Certificate stores    |
+| ------- | -------------------- |
+| Windows | - Local machine trust store </br> - User trust store|
+| macOS   | - System keychain      |
+| Linux   | - NSSDB </br> - To search a custom location, enter the absolute file path(s) to the certificate and private key (for example `/usr/local/mycompany/certs/client.pem` and `/usr/local/mycompany/certs/client_key.pem`). The certificate and private key must be in `PEM` format. They can either be in two different files or the same file. |
+   4. **Certificate ID**: Enter the UUID of the root CA.
+   5. **Common name**: (Optional) To check for a specific common name on the client certificate, enter a string with optional `${serial_number}` and `${hostname}` variables (for example, `${serial_number}_mycompany`). WARP will search for an exact, case-insensitive match. If you do not specify a common name, WARP will ignore the common name field on the certificate.
+   6. **Check for Extended Key Usage**: (Optional) Check whether the client certificate has one or more attributes set. Supported values are **Client authentication** (`1.3.6.1.5.5.7.3.2`) and/or **Email** (`1.3.6.1.5.5.7.3.4`).
+   7. **Check for private key**: (Recommended) When enabled, WARP checks that the device has a private key associated with the client certificate.
 
 6. Select **Save**.
 
@@ -44,39 +69,47 @@ Next, go to **Logs** > **Posture** and verify that the client certificate check
 
 Learn how the WARP client determines if a client certificate is installed and trusted on the device.
 
-{{<tabs labels="macOS | Windows | Linux">}}
-{{<tab label="macos" no-code="true">}}
+{{<tabs labels=" Windows | macOS | Linux">}}
 
-1. Open Terminal.
-2. Run the following command to search for a certificate with a specific common name:
+{{<tab label="windows" no-code="true">}}
 
-```sh
-$ /usr/bin/security find-certificate -c "<COMMON_NAME>" -p /Library/Keychains/System.keychain
-```
+1. Open a PowerShell window.
+2. To search the local machine trust store for a certificate with a specific common name, run the following command:
+
+  ```powershell
+  PS C:\Users\JohnDoe> Get-ChildItem Cert:\LocalMachine\My\ | where{$_.Subject -like "*<COMMON_NAME>*"}
+  ```
+
+3. To search the user trust store for a certificate with a specific common name, run the following command:
+
+  ```powershell
+  PS C:\Users\JohnDoe> Get-ChildItem Cert:\CurrentUser\My\ | where{$_.Subject -like "*<COMMON_NAME>*"}
+  ```
 
 {{</tab>}}
-{{<tab label="windows" no-code="true">}}
 
-1. Open a PowerShell window.
-2. Run the following command to search for a certificate with a specific common name:
+{{<tab label="macos" no-code="true">}}
 
-```powershell
-PS C:\Users\JohnDoe> Get-ChildItem Cert:\CurrentUser\My\ | where{$_.Subject -like "*<COMMON_NAME>*"}
+1. Open Terminal.
+2. To search System Keychain for a certificate with a specific common name, run the following command:
+
+```sh
+$ /usr/bin/security find-certificate -c "<COMMON_NAME>" -p /Library/Keychains/System.keychain
 ```
 
 {{</tab>}}
 
 {{<tab label="linux" no-code="true">}}
 
 1. Open Terminal.
-2. Run the following command to search for a certificate with a specific common name:
+2. To search NSSDB for a certificate with a specific common name, run the following command:
 
 ```sh
 $ certutil -L -d sql:/etc/pki/nssdb -r -n <COMMON_NAME>
-
 ```
 
 {{</tab>}}
+
 {{</tabs>}}
 
 For the posture check to pass, a certificate must appear in the output that validates against the uploaded root CA.