From 451a01bb0a2a470bf9ea8b44312769aa4f3bd51e Mon Sep 17 00:00:00 2001
From: Aarni Koskela <akx@iki.fi>
Date: Wed, 2 May 2018 17:11:20 +0300
Subject: [PATCH] TLS.md: Move the TLS secret misc bit to the TLS document

---
 docs/user-guide/miscellaneous.md |  6 ------
 docs/user-guide/tls.md           | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/docs/user-guide/miscellaneous.md b/docs/user-guide/miscellaneous.md
index d8b06ce78..d184bc2b1 100644
--- a/docs/user-guide/miscellaneous.md
+++ b/docs/user-guide/miscellaneous.md
@@ -1,11 +1,5 @@
 # Miscellaneous
 
-## Conventions
-
-Anytime we reference a tls secret, we mean (x509, pem encoded, RSA 2048, etc). You can generate such a certificate with:
-`openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"`
-and create the secret via `kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}`
-
 ## Requirements
 
 The default backend is a service which handles all url paths and hosts the nginx controller doesn't understand (i.e., all the requests that are not mapped with an Ingress).
diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md
index 93db6499d..b8fdf88b5 100644
--- a/docs/user-guide/tls.md
+++ b/docs/user-guide/tls.md
@@ -9,6 +9,24 @@
 - [Default TLS Version and Ciphers](#default-tls-version-and-ciphers)
 - [Legacy TLS](#legacy-tls)
 
+## TLS Secrets
+
+Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.
+
+You can generate a self-signed certificate and private key with with:
+
+```bash
+$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"`
+```
+
+Then create the secret in the cluster via:
+
+```bash
+kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
+```
+
+The resulting secret will be of type `kubernetes.io/tls`.
+
 ## Default SSL Certificate
 
 NGINX provides the option to configure a server as a catch-all with [server_name](http://nginx.org/en/docs/http/server_names.html) for requests that do not match any of the configured server names. This configuration works without issues for HTTP traffic.