OCI - Update custom domains guide

packages/@okta/vuepress-site/docs/concepts/brands/index.md

@@ -42,7 +42,7 @@ Okta Verify and the Okta plugin support multibrand. Use the following minimum ve
 
 ### Multibrand and custom domains
 
-You can create up to three custom domains with multibrand customizations. Increase your limit to 200 custom domains by contacting support.
+You can create up to three custom domains in your org with multibrand customizations. The three custom domains limit applies to your entire org. You can only ever have three custom domains, regardless of the number of brands you create. Each custom domain can be associated with only one brand. However, you can increase your limit up to 200 custom domains for your org by contacting support.
 
 You can only visit a branded touchpoint (such as a logo or color) after you map to a custom domain. Create a brand and map it to a custom domain. Then, you can make further customizations, preview them, and publish them. See [Custom domains](/docs/guides/custom-url-domain/main/#about-okta-domain-customization).
 

packages/@okta/vuepress-site/docs/guides/custom-url-domain/main/index.md

@@ -24,7 +24,7 @@ For customizing an Okta-managed domain or using your own TLS certificate:
 
 For customizing a domain using your own TLS certificate:
 
-* A valid TLS certificate for your subdomain (2048 bits, 3072 bits, or 4096 bits) (PEM-encoded)
+* A valid TLS certificate for your subdomain
 * A private key (2048 bits, 3072 bits, or 4096 bits) (PEM-encoded)
 
 For configuring a custom email address:
@@ -42,15 +42,17 @@ For example, you use Okta as a user store for your apps, but you don't want your
 
 > **Note:** Set up a [custom domain](/docs/guides/custom-url-domain/main/) and customize your [CSP (Content security policy)](https://content-security-policy.com/) if you also want to customize the [sign-in page](/docs/guides/custom-widget/main/#content-security-policy-csp-for-your-custom-domain) and [error pages](/docs/guides/custom-error-pages/main/#content-security-policy-csp-for-your-custom-domain).
 
-Okta serves pages on your custom domain over HTTPS. To set up this feature, you need to provide a TLS certificate that is valid for your domain. See [Validate your TLS certificate](#validate-your-tls-certificate).
+Okta serves pages on your custom domain over HTTPS. To set up this feature, you need to provide a TLS certificate that’s valid for your domain. See [Validate your TLS certificate](#validate-your-tls-certificate).
 
 You can also [configure a custom email address](#about-custom-email-addresses) to present a branded experience to your end users.
 
 > **Note:** When you create a custom domain, the Okta domain (`company.okta.com`) still works.
 
 ### Multibrand and custom domains
 
-You can create up to three custom domains with multibrand customizations and up to 200 custom domains by contacting support to increase your limit.
+You can create up to three custom domains with multibrand customizations. The three custom domains limit applies to your entire org. You can only ever have three custom domains, regardless of the number of brands you create. Each custom domain can be associated with only one brand.
+
+> **Note:** However, you can create up to 200 custom domains by contacting support to increase your limit.
 
 You can only preview or visit a branded page after you map it to a custom domain. For example, you can only view brand assets applied to the Okta-hosted sign-in page after you map it to a custom domain. After you create a brand, map it to a custom domain. Then you can make further customizations, preview them, and publish them.
 
@@ -80,15 +82,15 @@ The third generation of the Okta Sign-In Widget doesn’t guarantee the stabilit
 
   * If you have an Okta-managed certificate and you later get a CAA record, Okta can't renew your certificate. You must either add `letsencrypt.org` to the issuers list or remove the CAA record.
 
-* If you use an Okta-managed certificate, you need to remove [network zones](https://help.okta.com/okta_help.htm?id=ext-network-zones) from your org. If you can't remove network zones, you can create a custom domain using your own TLS certificate. See [Use your own TLS certificate](#use-your-own-tls-certificate).
+* If you use an Okta-managed certificate, you need to remove [network zones](https://help.okta.com/okta_help.htm?id=ext-network-zones) from your org. Network zones can potentially interfere with the automatic certificate renewal process. If you can't remove network zones, you can create a custom domain using your own TLS certificate. See [Use your own TLS certificate](#use-your-own-tls-certificate).
 
 * You can't sign in to [Okta Workflows](https://help.okta.com/okta_help.htm?type=wf&id=ext-Okta-workflows) through a custom domain (Okta-managed or using your own TLS certificate). Sign in through your default [Okta domain](/docs/guides/find-your-domain/main/).
 
 * If you use your own TLS certificate, consider the following:
 
-  * It can be 2048 bits, 3072 bits, or 4096 bits.
+  * The RSA key sizes must be 2048 bits, 3072 bits, or 4096 bits.
 
-  * It should be signed with the SHA-256 hash algorithm.
+  * It should be signed with a SHA256, SHA384, or SHA512 hash algorithm.
 
   * It must not be expired.
 
@@ -127,6 +129,10 @@ The third generation of the Okta Sign-In Widget doesn’t guarantee the stabilit
 
 This method of configuring a custom domain is recommended because Okta manages your certificate renewals in perpetuity. Okta manages certificate renewals through an integration with Let's Encrypt, which is a free certificate authority. The certificate procurement process is free, and also faster and easier than configuring a custom domain with your own TLS certificate.
 
+You can create up to three custom domains in your org. The three custom domains limit applies to your entire org. You can only ever have three custom domains, regardless of the number of brands you create. Each custom domain can be associated with only one brand.
+
+Use the following process to create a custom domain for your org. You can use the same process to add other custom domains.
+
 > **Note:** If your custom domain uses your own TLS certificate and you want to migrate to an Okta-managed certificate, contact [Support](https://support.okta.com/help/s/opencase).
 
 > **Note:** You don't need a [Certificate Authority Authorization (CAA)](https://datatracker.ietf.org/doc/html/rfc6844) record to use an Okta-managed TLS certificate. However, if you do have a CAA record, keep the following in mind:
@@ -178,6 +184,8 @@ After you click **Finish**, it may take several minutes before your custom domai
 
 ## Use your own TLS certificate
 
+You can create a custom domain that uses your own TLS certificate. Use the following process to create a custom domain with your own TLS certificate for your org. You can use the same process to add other custom domains.
+
 ### Validate your TLS certificate
 
 Before starting, make sure that you have the TLS certificate (PEM-encoded) for your subdomain and the private key (2048, 3072, or 4096-bits) (PEM-encoded).
@@ -238,13 +246,13 @@ Before Okta can serve traffic over your domain, add an alias from your custom do
 
 1. Return to your Domain Name registrar and locate the option to modify your DNS records.
 
-1. Paste the CNAME **Host** URL into the appropriate field at the registrar, for example, the **Name** or **Host** field. Often a registrar creates an A record automatically when you create a subdomain. Make sure that the CNAME record and the A record don't have the same name.
+2. Paste the CNAME **Host** URL into the appropriate field at the registrar, for example, the **Name** or **Host** field. Often a registrar creates an A record automatically when you create a subdomain. Make sure that the CNAME record and the A record don't have the same name.
 
 > **Note:** Depending on your registrar, you may only need to enter the subdomain part. For example, if you picked the subdomain `id.example.com`, your registrar may only require you to create a CNAME record for `id` (because `.example.com` is implied). If you're not sure, check your registrar's documentation.
 
-1. Paste the CNAME **Value** into the appropriate field at the registrar, for example, the **Record** or **Value** field.
+3. Paste the CNAME **Value** into the appropriate field at the registrar, for example, the **Record** or **Value** field.
 
-1. Save the record.
+4. Save the record.
 
 Uploading your TLS certificate is the next step in the configuration wizard.
 
@@ -348,7 +356,9 @@ To fix this, update your authorization server to use your custom domain:
 
 ## About custom email addresses
 
-A custom email address allows you to present a branded experience to your end users. Emails that Okta sends to your end users appear to come from your custom email address instead of `[email protected]`. You can switch to a different custom email address or revert to the default Okta domain, but you can use only one email domain at a time.
+A custom email address allows you to present a branded experience to your end users. Emails that Okta sends to your end users appear to come from your custom email address instead of `[email protected]`. You can switch to a different custom email address or revert to the default Okta domain, but you can use only one email domain at a time, per brand.
+
+You can only send emails from a custom email address if you've configured a custom email domain within that brand. Emails with default content are sent if you're using the default Okta domain to send emails from.
 
 Okta sends your super admins a confirmation email after your custom email address is configured and operating correctly. To ensure continuous operation, Okta polls your custom email domain once every 24 hours. If a problem occurs, Okta alerts super admins by email, and Okta-generated emails are sent from the default address `[email protected]` until the problem is resolved.