diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
index 89468a834912b7..592f0a06bc74d3 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
+++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
@@ -37,7 +37,6 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
- [Connect your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare using `cloudflared` or WARP Connector.
- [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on user devices in Gateway with WARP mode.
-- Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on user devices.
## 1. Add a target
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
index 7ac7f1e032a780..29d7dd649fe685 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
@@ -25,7 +25,7 @@ import { Tabs, TabItem, Badge, Render } from "~/components";
To connect your devices to Cloudflare:
1. [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices in Gateway with WARP mode.
-2. Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your devices.
+2. [Enable the Gateway proxy for TCP](/cloudflare-one/policies/gateway/proxy/#enable-the-gateway-proxy).
3. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization.
## 3. Route private network IPs through WARP
@@ -58,6 +58,14 @@ To generate a Cloudflare SSH CA and get its public key:
### Modify your SSHD config
+:::note
+For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to `600`. You can set file permissions with the following command:
+
+```sh
+chmod 600 /etc/ssh/ca.pub
+```
+:::
+
### Restart your SSH server
@@ -69,6 +77,8 @@ Users can use any SSH client to connect to the target, as long as they are logge
ssh @
```
+SSH with Access for Infrastructure also supports `scp` and `rsync` commands. At this time, `sftp` is not supported.
+
For more information, refer to the [Access for Infrastructure documentation](/cloudflare-one/applications/non-http/infrastructure-apps/#connect-as-a-user).
## SSH command logs
diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx
index be10872c9c84af..df037f7ef133b0 100644
--- a/src/content/partials/cloudflare-one/access/add-target.mdx
+++ b/src/content/partials/cloudflare-one/access/add-target.mdx
@@ -11,12 +11,12 @@ To create a new target:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Targets**.
2. Select **Add a target**.
3. In **Target hostname**, enter a user-friendly name for the target resource. We recommend using the server hostname, for example `production-server`. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.
- Case insensitive
- - Contain no more than 255 characters
+ - Contain no more than 253 characters
- Contain only alphanumeric characters, `-`, or `.` (no spaces allowed)
- Start and end with an alphanumeric character
diff --git a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx
index 468dd2840eff89..1ee08d6eb0246b 100644
--- a/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx
+++ b/src/content/partials/cloudflare-one/ssh/ssh-proxy-ca.mdx
@@ -3,15 +3,27 @@
---
-import { Render } from "~/components"
+import { Render, Details } from "~/components"
-1. Make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers.
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
- ```bash
- curl --request POST \
- "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \
- --header "X-Auth-Email: " \
- --header "X-Auth-Key: "
- ```
+ | Type | Item | Permission |
+ | ------- | ---------------- | ---------- |
+ | Account | Access: SSH Auditing | Edit |
-2. Copy the `public_key` value returned in the response.
\ No newline at end of file
+2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API:
+
+ ```bash
+ curl --request POST \
+ "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \
+ --header "Authorization: Bearer "
+ ```
+
+3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead:
+
+ ```bash
+ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca \
+ --header "Authorization: Bearer "
+ ```
+
+4. Copy the `public_key` value returned in the response.