From ff0c830115abf4ab12c999099ce956a01f345814 Mon Sep 17 00:00:00 2001
From: egoncalv <elisamaraaoki.goncalves@windriver.com>
Date: Thu, 3 Jun 2021 10:23:18 -0300
Subject: [PATCH] Remote CLI: Client container doesn't trust the CA.

Added note.

Patch 1: Worked on Ayyappa comments.

Patch 2: Worked on Greg's comments.

Patch 3: Worked on Mary's comments.

Patch 4: Fixed typo.

Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com>
Change-Id: I27aab71790f8f21099189b8c2557627203186e9d
---
 ...starlingx-rest-and-web-server-certificate.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst b/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst
index b89bfd0c9..0176d4cd9 100644
--- a/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst
+++ b/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst
@@ -26,6 +26,22 @@ certificates.
 Put the |PEM| encoded versions of the certificate and key in a single file,
 and copy the file to the controller host.
 
+.. note::
+    If you plan to use the container-based remote CLIs, due to a limitation
+    in the Python2 SSL certificate validation, the certificate used for the
+    'ssl' certificate must either have:
+
+    #.  CN=IPADDRESS and SANs=empty
+
+        or
+
+    #.  CN=FQDN and SANs=FQDN
+
+    where IPADDRESS and FQDN are for the OAM Floating IP Address.
+
+    We recommend that you use the option 2, as CN is technically a deprecated
+    field in the certificate.
+
 .. rubric:: |proc|
 
 -   Install/update the copied certificate.