diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx
index 3a2cf180e8..080b1b9172 100644
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx
@@ -12,8 +12,6 @@ import { Render, APIRequest } from "~/components";
 
 This guide will walk you through how to set up [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls to securely connect to an AWS Application Load Balancer using [mutual TLS verify](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html).
 
-You can also find instructions on how to [rollback](#rollback-the-cloudflare-configuration) this setup in Cloudflare.
-
 ## Before you begin
 
 - You should already have your AWS account and [EC2](https://docs.aws.amazon.com/ec2/?icmpid=docs_homepage_featuredsvcs) configured.
@@ -104,34 +102,6 @@ Make sure your [encryption mode](/ssl/origin-configuration/ssl-modes/) is set to
 
 ---
 
-## Rollback the Cloudflare configuration
+## Roll back the Cloudflare configuration
 
-1. Use a [`PUT` request](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) to disable Authenticated Origin Pulls on the hostname.
-
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames"
-	method="PUT"
-	json={{
-		config: [
-			{
-				enabled: false,
-				cert_id: "<CERT_ID>",
-				hostname: "<YOUR_HOSTNAME>",
-			},
-		],
-	}}
-/>
-
-2. (Optional) Use a [`GET` request](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step.
-
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates"
-	method="GET"
-/>
-
-3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded.
-
-<APIRequest
-	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}"
-	method="DELETE"
-/>
+<Render file="aop-rollback-hostname-setup" product="ssl" />
diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx
index 6db43c686b..c240f32236 100644
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx
@@ -9,7 +9,7 @@ description: Authenticated Origin Pulls helps ensure requests to your origin
 
 ---
 
-import { FeatureTable } from "~/components"
+import { FeatureTable, Render } from "~/components"
 
 Authenticated Origin Pulls (AOP) helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of [Full](/ssl/origin-configuration/ssl-modes/full/) or [Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes.
 
@@ -25,6 +25,11 @@ Although Cloudflare provides you a certificate to easily [configure zone-level a
 
 Using a custom certificate is possible with both [zone-level](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls and is required if you need your domain to be [FIPS](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards) compliant.
 
+:::note
+
+<Render file="aop-disablement-callout" product="ssl" />
+:::
+
 ## Limitations
 
 Authenticated Origin Pulls does not apply when your [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/) is set to **Off** or **Flexible**.
diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx
index 078b75aa33..1494077a08 100644
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx
@@ -67,11 +67,8 @@ You can configure alerts to receive notifications before your AOP certificates e
 
 <Render file="get-started" product="notifications" />
 
-:::note
-[Per-hostname AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) and [zone-level AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) are two separate configurations. Disabling zone-level AOP does not disable per-hostname AOP.
-:::
-
-
 ## Further options
 
 Refer to [Manage certificates](/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates/) for further options.
+
+To learn how to remove the configuration, refer to [Rollback](/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback/).
\ No newline at end of file
diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback.mdx
new file mode 100644
index 0000000000..4c81a82eeb
--- /dev/null
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback.mdx
@@ -0,0 +1,18 @@
+---
+pcx_content_type: how-to
+title: Roll back per-hostname AOP
+sidebar:
+  order: 4
+  label: Rollback
+---
+
+import { Render } from "~/components";
+
+If you need to disable or remove your [per-hostname](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) Authenticated Origin Pulls configuration, follow these steps.
+
+:::note
+
+<Render file="aop-disablement-callout" product="ssl" />
+:::
+
+<Render file="aop-rollback-hostname-setup" product="ssl" />
diff --git a/src/content/partials/ssl/aop-disablement-callout.mdx b/src/content/partials/ssl/aop-disablement-callout.mdx
new file mode 100644
index 0000000000..86ea71de02
--- /dev/null
+++ b/src/content/partials/ssl/aop-disablement-callout.mdx
@@ -0,0 +1,5 @@
+---
+{}
+---
+
+[Zone-level AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) are two separate configurations. Disabling one does not disable the other.
diff --git a/src/content/partials/ssl/aop-rollback-hostname-setup.mdx b/src/content/partials/ssl/aop-rollback-hostname-setup.mdx
new file mode 100644
index 0000000000..828e194d13
--- /dev/null
+++ b/src/content/partials/ssl/aop-rollback-hostname-setup.mdx
@@ -0,0 +1,35 @@
+---
+{}
+---
+
+import { APIRequest } from "~/components";
+
+1. Use a [`PUT` request](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) to disable Authenticated Origin Pulls on the hostname.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames"
+   	method="PUT"
+   	json={{
+   		config: [
+   			{
+   				enabled: false,
+   				cert_id: "<CERT_ID>",
+   				hostname: "<YOUR_HOSTNAME>",
+   			},
+   		],
+   	}}
+   />
+
+2. (Optional) Use a [`GET` request](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates"
+   	method="GET"
+   />
+
+3. Use the [Delete hostname client certificate](/api/resources/origin_tls_client_auth/subresources/hostnames/subresources/certificates/methods/delete/) endpoint to remove the certificate you had uploaded.
+
+   <APIRequest
+   	path="/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}"
+   	method="DELETE"
+   />