From fa47a3cb42517388dd0de2c083542d9783834160 Mon Sep 17 00:00:00 2001
From: Michael Burke <mburke@redhat.com>
Date: Wed, 4 Apr 2018 13:43:17 -0400
Subject: [PATCH] Add more information about custom CA certificates per BZ

---
 install_config/redeploying_certificates.adoc | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/install_config/redeploying_certificates.adoc b/install_config/redeploying_certificates.adoc
index 0d5c8bfd5a88..aaca193c35a2 100644
--- a/install_config/redeploying_certificates.adoc
+++ b/install_config/redeploying_certificates.adoc
@@ -318,7 +318,7 @@ still valid.
 To redeploy a newly generated or custom CA:
 
 . If you want to use a custom CA, set the following variable in your inventory
-file:
+file. To use the current CA, skip this step.
 +
 ----
 # Configure custom ca certificate
@@ -329,8 +329,15 @@ file:
 openshift_master_ca_certificate={'certfile': '</path/to/ca.crt>', 'keyfile': '</path/to/ca.key>'}
 ----
 +
-If you do not set the above, then the current CA will be regenerated in the next
-step.
+If the CA certificate is issued by an intermediate CA, the bundled certificate must contain 
+the full chain (the intermediate and root certificates) for the CA in order to validate child certificates. 
++
+For example:
++
+----
+$ cat intermediate/certs/intermediate.cert.pem \
+      certs/ca.cert.pem >> intermediate/certs/ca-chain.cert.pem
+----
 
 . Run the *_redeploy-openshift-ca.yml_* playbook, specifying your inventory file:
 +