openshift · mburke5678 · Apr 12, 2018 · Apr 12, 2018
diff --git a/install_config/registry/deploy_registry_existing_clusters.adoc b/install_config/registry/deploy_registry_existing_clusters.adoc
@@ -383,6 +383,52 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm
 ----
 ====
 +
+- The secured registry should contain the following Subject Alternative Names (SAN) list:
++
+* Two service hostnames.
++
+For example:
++
+----
+docker-registry.default.svc.cluster.local
+docker-registry.default.svc
+----
++
+* Service IP address. 
++
+For example:
++
+----
+172.30.124.220
+----
++
+Use the following command to get the Docker registry service IP address:
++
+----
+oc get service docker-registry --template='{{.spec.clusterIP}}'
+----
++
+* Public hostname. 
++
+For example:
++
+----
+docker-registry-default.apps.example.com
+----
++
+Use the following command to get the Docker registry public hostname:
++
+----
+oc get route docker-registry --template '{{.spec.host}}'
+----
++
+For example, the server certificate should contain SAN details similar to the following: 
++
+----
+X509v3 Subject Alternative Name:
+               DNS:docker-registry-public.openshift.com, DNS:docker-registry.default.svc, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.2.98, IP Address:172.30.2.98
+----
++
 The registry console loads a certificate from the *_/etc/cockpit/ws-certs.d_*
 directory. It uses the last file with a *_.cert_* extension in alphabetical
 order. Therefore, the *_.cert_* file should contain at least two PEM blocks formatted in the OpenSSL style.