From 6a197095068ee31f9108565823c59aa32b38d359 Mon Sep 17 00:00:00 2001 From: Stuart Clements Date: Wed, 18 Sep 2019 08:57:38 +0200 Subject: [PATCH] Corrections in certificates docs (#2513) * Corrections in certificates docs * Comments from Jun --- docs/user_doc/vic_vsphere_admin/vch_cert_reqs.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/docs/user_doc/vic_vsphere_admin/vch_cert_reqs.md b/docs/user_doc/vic_vsphere_admin/vch_cert_reqs.md index a83192a5db..d5bf31835f 100644 --- a/docs/user_doc/vic_vsphere_admin/vch_cert_reqs.md +++ b/docs/user_doc/vic_vsphere_admin/vch_cert_reqs.md @@ -100,7 +100,7 @@ For information about how to automatically generate a server certificate during Custom server certificates for VCHs must meet the following requirements: - You must use an X.509 server certificate. -- The Common Name (CN) in the server certificate must match the FQDN or IP address of the system from which the Docker client accesses the server, or a wildcard domain that matches all of the FQDNs in a specific subdomain. +- The Common Name (CN) in the server certificate must match the FQDN or IP address of the system from which the Docker client accesses the server, or a wildcard domain that matches all of the FQDNs in a specific subdomain. - Server certificates must have the following certificate usages: - `KeyEncipherment` - `DigitalSignature` @@ -110,8 +110,6 @@ Custom server certificates for VCHs must meet the following requirements: If you use certificates that are not signed by a trusted certificate authority, container developers might require the server certificate when they run Docker commands in `--tlsverify` client mode. You can download the server certificate for a VCH from the vSphere Client. For information about downloading server certificates, see [View All VCH and Container Information in the HTML5 vSphere Client](access_h5_ui.md). -For information about how to upload custom client certificates during VCH deployment, see the section [Server Certificates](vch_cert_options.md#server) in *Virtual Container Host Certificate Options*. - ## VCH Client Certificate vSphere Integrated Containers Management Portal uses a client certificate to authenticate with the VCH when you add it to a project. @@ -128,17 +126,13 @@ For information about how to automatically generate a client certificate during ### Custom Client Certificate -For the VCH to trust the CA that you use to sign the client certificate, the CA must include the following elements: - -- The name or address of the system from which the Docker client accesses the server in the subject or subject alternative name. This can be an FQDN or a wildcard domain. -- Key usage in the v3 extensions that match the key usage chosen for the VCH server certificate: +Key usage in the v3 extensions that match the key usage chosen for the VCH server certificate: - `KeyEncipherment` - `KeyAgreement` + - `clientAuth` You cannot download client certificates for VCHs from the vSphere Client. vSphere administrators distribute client certificates directly. -For information about how to upload custom client certificates during VCH deployment, see the section [Client Certificates](vch_cert_options.md#client) in *Virtual Container Host Certificate Options*. - ## vSphere Integrated Containers Registry Root CA VCH requires registry root CA to pull images from vSphere Integrated Containers Registry