Add d4mac client side FAQ

[londoncalling]

What's changed

-Added an FAQ re: client side certificates on Docker for Mac

Related

docker/for-mac#1320 (comment)

Netlify preview direct links

Docker for Mac FAQ on client-side certs

Update to Docker for Mac FAQ on server side CA certificates per @YanLi

Docker for Windows FAQ on client-side certs

Reviewers

@matthewbarr @ebriney @friism @YangLi @mstanleyjones @JimGalasyn

Signed-off-by: Victoria Bialas victoria.bialas@docker.com

[ebriney]

@londoncalling, it works on windows too

[londoncalling]

Thanks @ebriney I'll add it to both sets of docs. @YangLi is testing and helping to review the docs.

[londoncalling]

@ebriney @YangLi @mstanleyjones @friism Please review this carefully, via the Netlify links provided.

• For Docker for Mac, I pulled the topics on adding certificates into the Getting Started: Adding security certificates (The FAQ topics are still there but they link to the Getting Started topics.)

• For Docker for Windows, I left the topics in the FAQs for now (How do I add custom CA certificates? and How do I add client certificates?). My main concern here is whether what I have is accurate for Docker for Windows? How much more or different examples and information should we have for Windows? I didn't provide as much information for Windows as for Mac because I wasn't sure if what I have applies.

[cyli]

I wonder if it'd be useful to link to https://docs.docker.com/engine/security/certificates/? That document has more details about the directory structure for /etc/docker/certs.d

[cyli]

Should this say something like "...it copies the ~/.docker/certs.d folder on your Mac to the com.docker.driver.amd64-linux/etc/docker/certs.d directory in the database." instead? Also, I'm not sure if mentioning the database is helpful for folks who weren't doing git commands before.

Maybe "...it copies the ~/.docker/certs.d folder on your Mac into the /etc/docker/certs.d directory in the xhyve VM." ?

[cyli]

Since ~/docker/certs.d/<MyRegistry>:<Port>/client.key etc. was mentioned above, for consistency do we want to change the folder name from 192.168.203.139:5858 to <MyRegistry>:<Port>?

Alternately, since https://docs.docker.com/engine/security/certificates/#creating-the-client-certificates uses "localhost:5000" as the hostname with port, maybe we should use that instead? Similar with the example below.

[cyli]

Perhaps "Adding TLS certificates" instead of "security certificates"?

[londoncalling]

@cyli Thanks for your review, I've incorporated all of your comments. Have a look if you get a chance. I'm still a little worried about the Windows side of it, but if I don't get any other comments, I'll merge this and figure users will send questions or comments once it's published.

[JimGalasyn]

"Docker for Mac" -> "Docker for Windows"

[londoncalling]

Got it, thanks, @JimGalasyn

[cyli]

Apologies, one more nitpick: it's not clear what "these entities" refer to. Maybe this sentence can be:

"You can add CA certificates (used to verify registry server certificates) and client certificates (used to authenticate to registries) to your docker daemon."

Or something like that?

[londoncalling]

@cyli makes sense, I'll change that now. I made some more updates, I think it's looking pretty good.

[londoncalling]

LGTM

[zadeluca]

@ebriney You confirmed this works for Windows as well? I think I am doing exactly what the FAQ describes but can't make it work, and am left scratching my head. Do you have any clues about what might be wrong? Thanks (I also posted my question to the forum https://forums.docker.com/t/using-client-certificates/41364)