cloudflare · RebeccaTamachiro · Jan 12, 2026 · Jan 6, 2026 · Jan 9, 2026 · Jan 9, 2026
@@ -12,8 +12,6 @@
 
 This guide will walk you through how to set up [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls to securely connect to an AWS Application Load Balancer using [mutual TLS verify](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html).
 
-You can also find instructions on how to [rollback](#rollback-the-cloudflare-configuration) this setup in Cloudflare.
-
 ## Before you begin
 
 - You should already have your AWS account and [EC2](https://docs.aws.amazon.com/ec2/?icmpid=docs_homepage_featuredsvcs) configured.
@@ -28,7 +26,7 @@

 1. Upload the `rootca.cert` to an [S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html).
 2. [Create a trust store](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html#create-trust-store) at your EC2 console, indicating the **S3 URI** where you uploaded the certificate.
 3. Create an EC2 instance and install an HTTPD daemon. Choose an [instance type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) according to your needs - it can be a minimal instance eligible to [AWS Free Tier](https://aws.amazon.com/free/). This tutorial was based on an example using t2.micro and [Amazon Linux 2023](https://docs.aws.amazon.com/linux/al2023/ug/what-is-amazon-linux.html).

 ```bash
 sudo yum install -y httpd
@@ -104,34 +102,6 @@
 
 ---
 
-## Rollback the Cloudflare configuration
-
-1. Use a [`PUT` request](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) to disable Authenticated Origin Pulls on the hostname.
-
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames"
-	method="PUT"
-	json={{
-		config: [
-			{
-				enabled: false,
-				cert_id: "<CERT_ID>",
-				hostname: "<YOUR_HOSTNAME>",
-			},
-		],
-	}}
-/>
-
-2. (Optional) Use a [`GET` request](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step.
+## Roll back the Cloudflare configuration
 
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates"
-	method="GET"
-/>
-
-3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded.
-
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}"
-	method="DELETE"
-/>
+<Render file="aop-rollback-hostname-setup" product="ssl" />
@@ -9,7 +9,7 @@ description: Authenticated Origin Pulls helps ensure requests to your origin
 
 ---
 
-import { FeatureTable } from "~/components"
+import { FeatureTable, Render } from "~/components"
 
 Authenticated Origin Pulls (AOP) helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of [Full](/ssl/origin-configuration/ssl-modes/full/) or [Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes.
 
@@ -25,6 +25,11 @@ Although Cloudflare provides you a certificate to easily [configure zone-level a
 
 Using a custom certificate is possible with both [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls and is required if you need your domain to be [FIPS](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards) compliant.
 
+:::note
+
+<Render file="aop-disablement-callout" product="ssl" />
+:::
+
 ## Limitations
 
 Authenticated Origin Pulls does not apply when your [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/) is set to **Off** or **Flexible**.

@@ -67,11 +67,8 @@ You can configure alerts to receive notifications before your AOP certificates e
 
 <Render file="get-started" product="notifications" />
 
-:::note
-[Per-hostname AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) and [zone-level AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) are two separate configurations. Disabling zone-level AOP does not disable per-hostname AOP.
-:::
-
-
 ## Further options
 
 Refer to [Manage certificates](/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates/) for further options.
+
+To learn how to remove the configuration, refer to [Rollback](/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback/).
@@ -0,0 +1,18 @@
+---
+pcx_content_type: how-to
+title: Roll back per-hostname AOP
+sidebar:
+  order: 4
+  label: Rollback
+---
+
+import { Render } from "~/components";
+
+If you need to disable or remove your [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) Authenticated Origin Pulls configuration, follow these steps.
+
+:::note
+
+<Render file="aop-disablement-callout" product="ssl" />
+:::
+
+<Render file="aop-rollback-hostname-setup" product="ssl" />
@@ -0,0 +1,5 @@
+---
+{}
+---
+
+[Zone-level AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) are two separate configurations. Disabling one does not disable the other.
@@ -0,0 +1,35 @@
+---
+{}
+---
+
+import { APIRequest } from "~/components";
+
+1. Use a [`PUT` request](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) to disable Authenticated Origin Pulls on the hostname.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames"
+   	method="PUT"
+   	json={{
+   		config: [
+   			{
+   				enabled: false,
+   				cert_id: "<CERT_ID>",
+   				hostname: "<YOUR_HOSTNAME>",
+   			},
+   		],
+   	}}
+   />
+
+2. (Optional) Use a [`GET` request](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates"
+   	method="GET"
+   />
+
+3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}"
+   	method="DELETE"
+   />