Include configuration explanation for intermediate TLS certificates

Intermediate certificates are issued by TLS providers who themselves are
an intermediate of a certificate in the trust store. Therefore, to prove
the chain of trust is valid, you need to include their certificate as
well as yours when you send your certificate to the client.

Contrary to what I said in issue #683, distribution can handle these
certificate bundles like nginx. As discussed in #docker-distribution,
I have updated the deployment documentation (which recommends the use of
a TLS certificate from a provider) to include instructions on how to
handle the intermediate certificate when a user is configuring
distribution.

Signed-off-by: Luke Carpenter <x@rubynerd.net>
This commit is contained in:
Luke Carpenter 2015-07-09 23:28:08 +01:00
parent bdcae0597f
commit 58e5c619ac

View file

@ -89,6 +89,8 @@ docker run -d -p 5000:5000 \
registry:2 registry:2
``` ```
If the certificate issuer supplies you with an 'intermediate' certificate, such as Gandi, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt GandiStandardSSLCA2.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable.
**Pros:** **Pros:**
- best solution - best solution