[SSL, CF4SaaS] Clarify CA cert is validated and CNAME config with mTLS

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx

@@ -28,6 +28,8 @@ Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for
 
 :::note
 Currently, you cannot add mTLS policies for custom hostnames using [API Shield](/api-shield/security/mtls/).
+
+Also make sure to enforce mTLS on the specific custom hostname where it should be checked. It is not enough to have it set on the CNAME target.
 :::
 
 ## Minimum TLS Version

src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx

@@ -69,6 +69,10 @@ Example WAF Custom Rule with action block:
 
 ![Example of a WAF custom rule with an action block in the Cloudflare dashboard during the validate client certificate step](~/assets/images/learning-paths/mtls/waf-custom-rule-action-block.png)
 
+:::note
+When using CNAME, enforce mTLS on the specific hostname where it should be checked. It is not enough to have it set on the CNAME target.
+:::
+
 ## Demo
 
 :::note

src/content/docs/ssl/client-certificates/byo-ca.mdx

@@ -23,6 +23,8 @@ Bring your own CA (BYOCA) is especially useful if you already have mTLS implemen
 
 ## CA certificate requirements
 
+When you upload your CA, Cloudflare validates the certificate according to certain requirements.
+
 <Render file="byo-ca-mtls-cert-requirements" product="ssl" />
 
 :::note
@@ -71,6 +73,10 @@ Uploading the CA private key is only required if you wish to use [Zero Trust's b
   "action": "block"
 ```
 
+:::note
+When using CNAME, enforce mTLS on the specific hostname where it should be checked. It is not enough to have it set on the CNAME target.
+:::
+
 ### Multiple CAs for one hostname
 
 There can be multiple CAs (Cloudflare-managed or BYOCA) associated with the same hostname. For BYOCA certificates, the most recently deployed certificate will be prioritized.