diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/desktop-access/active-directory-manual.mdx
index aeb50786be3c8..ed61d54b6191d 100644
--- a/docs/pages/desktop-access/active-directory-manual.mdx
+++ b/docs/pages/desktop-access/active-directory-manual.mdx
@@ -189,14 +189,12 @@ These steps will need to be repeated if Teleport's user certificate authority is
 </Admonition>
 
 
-1. Get the Teleport user CA certificate by running:
+Get the Teleport user CA certificate by running the following in the Windows machine where you can manage your group policy, assigning <Var name="proxy" /> to the address of your Teleport Proxy Service:
 
 ```code
-$ tctl auth export --type=windows > user-ca.cer
+$ curl 'https://<Var name="proxy"/>/webapi/auth/export?type=windows' > user-ca.cer
 ```
 
-2. Transfer the `user-ca.cer` file to a Windows machine where you can manage your group policy.
-
 <Admonition type="note" title="Take note of the location">
   Take note of the path to the `user-ca.cer` file, as you will need this in the next step.
 </Admonition>
diff --git a/docs/pages/desktop-access/getting-started.mdx b/docs/pages/desktop-access/getting-started.mdx
index b238be628060a..0257dfa4c6e1f 100644
--- a/docs/pages/desktop-access/getting-started.mdx
+++ b/docs/pages/desktop-access/getting-started.mdx
@@ -47,14 +47,12 @@ to your Windows system, and prepare it for passwordless access through Teleport.
 
 ### Import the Teleport root certificate
 
-Use `tctl` to export the Teleport user certificate authority:
+Export the Teleport user certificate authority by running the following from your Windows system:
 
 ```code
-$ tctl auth export --type=windows > teleport.cer
+$ curl 'https://teleport-proxy.example.com:443/webapi/auth/export?type=windows' > teleport.cer
 ```
 
-Copy this certificate to your Windows system, if you didn't run `tctl` from there.
-
 ### Install the Teleport service for Windows
 
 From the Windows system, download the [Teleport Windows Auth
diff --git a/docs/pages/desktop-access/troubleshooting.mdx b/docs/pages/desktop-access/troubleshooting.mdx
index c572bf1b96127..551b6e561b156 100644
--- a/docs/pages/desktop-access/troubleshooting.mdx
+++ b/docs/pages/desktop-access/troubleshooting.mdx
@@ -56,29 +56,12 @@ This means that the host does not trust the Teleport CA.
 First, make sure that you [import the Teleport CA into Group
 Policy](./active-directory-manual.mdx#create-another-gpo-and-import-the-teleport-ca). Note that if the
 Teleport CA was rotated since the last import, you will have to fetch the
-new CA using the following command:
-
-<ScopedBlock scope={["oss", "enterprise"]}>
-
-```code
-# Log in to your cluster with tsh so you can use tctl from your local machine.
-# You can also run tctl on your Auth Service host without running "tsh login"
-# first.
-$ tsh login --proxy=teleport.example.com --user=myuser
-$ tctl auth export --type=windows >user-ca.cer
-```
-
-</ScopedBlock>
-<ScopedBlock scope={["cloud"]}>
+new CA using the following command, assigning <Var name="proxy" /> to the address of your Teleport Proxy Service:
 
 ```code
-# Log in to your Teleport cluster so you can use tctl remotely.
-$ tsh login --proxy=mytenant.teleport.sh --user=myuser
-$ tctl auth export --type=windows >user-ca.cer
+$ curl 'https://<Var name="proxy"/>/webapi/auth/export?type=windows' > user-ca.cer
 ```
 
-</ScopedBlock>
-
 If that doesn't help, log into the target host directly, open PowerShell and
 run `gpupdate.exe /force`. This forces a Group Policy sync and should pick up
 the new CA.
diff --git a/docs/pages/management/guides/ssh-key-extensions.mdx b/docs/pages/management/guides/ssh-key-extensions.mdx
index 37bc899a7212e..805af70e10ce4 100644
--- a/docs/pages/management/guides/ssh-key-extensions.mdx
+++ b/docs/pages/management/guides/ssh-key-extensions.mdx
@@ -13,29 +13,12 @@ Teleport supports exporting user SSH certificates with configurable key extensio
 
 ## Step 1/3. Import the Teleport CA into GitHub
 
-In order to export the Teleport CA, execute the following command:
-
-<ScopedBlock scope={["oss", "enterprise"]}>
-
-```code
-# Log in to your cluster with tsh so you can use tctl from your local machine.
-# You can also run tctl on your Auth Service host without running "tsh login"
-# first.
-$ tsh login --proxy=teleport.example.com --user=myuser
-$ tctl auth export --type=user | sed 's/^cert-authority //g'
-```
-
-</ScopedBlock>
-<ScopedBlock scope={["cloud"]}>
+In order to export the Teleport CA, execute the following command, assigning <Var name="proxy" /> to the address of your Teleport Proxy Service:
 
 ```code
-# Log in to your Teleport cluster so you can use tctl remotely.
-$ tsh login --proxy=mytenant.teleport.sh --user=myuser
-$ tctl auth export --type=user | sed 's/^cert-authority //g'
+$ curl 'https://<Var name="proxy"/>/webapi/auth/export?type=user' | sed 's/^cert-authority //g'
 ```
 
-</ScopedBlock>
-
 Next, follow the instructions in the guide below to import your Teleport CA into GitHub:
 
 [Managing your organization's SSH certificate authorities](https://docs.github.com/en/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities)
diff --git a/docs/pages/server-access/guides/openssh.mdx b/docs/pages/server-access/guides/openssh.mdx
index ed76283e4517b..1a1a30044e1f4 100644
--- a/docs/pages/server-access/guides/openssh.mdx
+++ b/docs/pages/server-access/guides/openssh.mdx
@@ -38,21 +38,10 @@ certificates generated by the Teleport Auth Service.
 
 Start by exporting the Teleport CA public key.
 
-On your local machine, print the Teleport certificate authority certificate to
-stdout:
+On the host where you are running `sshd`, run the following commands, assigning <Var name="proxy" /> to the address of your Teleport Proxy Service:
 
 ```code
-$ tctl auth export --type=user | sed "s/cert-authority\ //"
-```
-
-Copy the output. 
-
-On the host where you are running `sshd`, run the following commands.
-
-Assign the output of the `tctl auth export` command to an environment variable:
-
-```code
-$ export KEY="<pasted output>"
+$ export KEY=$(curl 'https://<Var name="proxy"/>/webapi/auth/export?type=user' | sed "s/cert-authority\ //")
 ```
 
 Make the public key accessible to `sshd`:
@@ -508,4 +497,4 @@ $ ssh -F ssh_config_teleport ${USER?}@node2.leafcluster.${CLUSTER}
 
 To revoke the current Teleport CA and generate a new one, run `tctl auth rotate`. Unless you've highly automated your
 infrastructure, we would suggest you proceed with caution as this will invalidate the user
-and host CAs, meaning that the new CAs will need to be exported to every OpenSSH-based machine again using `tctl auth export` as above.
+and host CAs, meaning that the new CAs will need to be exported to every OpenSSH-based machine again using `curl .../auth/export` as above.
diff --git a/docs/pages/server-access/guides/recording-proxy-mode.mdx b/docs/pages/server-access/guides/recording-proxy-mode.mdx
index b376ca3f6a5dd..bfb464f0b0afe 100644
--- a/docs/pages/server-access/guides/recording-proxy-mode.mdx
+++ b/docs/pages/server-access/guides/recording-proxy-mode.mdx
@@ -120,11 +120,10 @@ auth_service:
 by the Teleport User CA. Start by exporting the Teleport CA public key.
 
 On your Teleport Node, export the Teleport Certificate Authority certificate
-into a file and update your SSH configuration to trust Teleport's CA:
+into a file and update your SSH configuration to trust Teleport's CA. Assign <Var name="proxy" /> to the address of your Teleport Proxy Service:
 
 ```code
-# tctl needs to be run on the Auth Server.
-$ sudo tctl auth export --type=user | sed s/cert-authority\ // > teleport_user_ca.pub
+$ curl 'https://<Var name="proxy"/>/webapi/auth/export?type=user' | sed s/cert-authority\ // > teleport_user_ca.pub
 $ sudo mv ./teleport_user_ca.pub /etc/ssh/teleport_user_ca.pub
 $ echo "TrustedUserCAKeys /etc/ssh/teleport_user_ca.pub" | sudo tee -a /etc/ssh/sshd_config
 ```