From 58e5c619acb2a5cc8520f6aadd34c7f1d1b308ae Mon Sep 17 00:00:00 2001 From: Luke Carpenter Date: Thu, 9 Jul 2015 23:28:08 +0100 Subject: [PATCH] Include configuration explanation for intermediate TLS certificates Intermediate certificates are issued by TLS providers who themselves are an intermediate of a certificate in the trust store. Therefore, to prove the chain of trust is valid, you need to include their certificate as well as yours when you send your certificate to the client. Contrary to what I said in issue #683, distribution can handle these certificate bundles like nginx. As discussed in #docker-distribution, I have updated the deployment documentation (which recommends the use of a TLS certificate from a provider) to include instructions on how to handle the intermediate certificate when a user is configuring distribution. Signed-off-by: Luke Carpenter --- docs/deploying.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/deploying.md b/docs/deploying.md index 5ab01ba4..09adac6d 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -89,6 +89,8 @@ docker run -d -p 5000:5000 \ registry:2 ``` +If the certificate issuer supplies you with an 'intermediate' certificate, such as Gandi, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt GandiStandardSSLCA2.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable. + **Pros:** - best solution