TLS.md: Move the TLS secret misc bit to the TLS document

docs/user-guide/miscellaneous.md

@@ -1,11 +1,5 @@
 # Miscellaneous
 
-## Conventions
-
-Anytime we reference a tls secret, we mean (x509, pem encoded, RSA 2048, etc). You can generate such a certificate with:
-`openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"`
-and create the secret via `kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}`
-
 ## Requirements
 
 The default backend is a service which handles all url paths and hosts the nginx controller doesn't understand (i.e., all the requests that are not mapped with an Ingress).

docs/user-guide/tls.md

@@ -9,6 +9,24 @@
 - [Default TLS Version and Ciphers](#default-tls-version-and-ciphers)
 - [Legacy TLS](#legacy-tls)
 
+## TLS Secrets
+
+Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.
+
+You can generate a self-signed certificate and private key with with:
+
+```bash
+$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"`
+```
+
+Then create the secret in the cluster via:
+
+```bash
+kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
+```
+
+The resulting secret will be of type `kubernetes.io/tls`.
+
 ## Default SSL Certificate
 
 NGINX provides the option to configure a server as a catch-all with [server_name](http://nginx.org/en/docs/http/server_names.html) for requests that do not match any of the configured server names. This configuration works without issues for HTTP traffic.