diff --git a/docs/reference/api/docker_remote_api_v1.24.md b/docs/reference/api/docker_remote_api_v1.24.md
index ad29ae10ff..d745a021a6 100644
--- a/docs/reference/api/docker_remote_api_v1.24.md
+++ b/docs/reference/api/docker_remote_api_v1.24.md
@@ -3644,8 +3644,15 @@ JSON Parameters:
election.
- **Dispatcher** – Configuration settings for the task dispatcher.
- **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
- - **CAConfig** – CA configuration.
+ - **CAConfig** – Certificate authority configuration.
- **NodeCertExpiry** – Automatic expiry for nodes certificates.
+ - **ExternalCA** - Configuration for forwarding signing requests to an external
+ certificate authority.
+ - **Protocol** - Protocol for communication with the external CA
+ (currently only "cfssl" is supported).
+ - **URL** - URL where certificate signing requests should be sent.
+ - **Options** - An object with key/value pairs that are interpreted
+ as protocol-specific options for the external CA driver.
### Join an existing Swarm
@@ -3792,6 +3799,13 @@ JSON Parameters:
- **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
- **CAConfig** – CA configuration.
- **NodeCertExpiry** – Automatic expiry for nodes certificates.
+ - **ExternalCA** - Configuration for forwarding signing requests to an external
+ certificate authority.
+ - **Protocol** - Protocol for communication with the external CA
+ (currently only "cfssl" is supported).
+ - **URL** - URL where certificate signing requests should be sent.
+ - **Options** - An object with key/value pairs that are interpreted
+ as protocol-specific options for the external CA driver.
## 3.8 Services
diff --git a/docs/reference/api/docker_remote_api_v1.25.md b/docs/reference/api/docker_remote_api_v1.25.md
index 284f2d5cab..859cbf9cb8 100644
--- a/docs/reference/api/docker_remote_api_v1.25.md
+++ b/docs/reference/api/docker_remote_api_v1.25.md
@@ -3645,8 +3645,15 @@ JSON Parameters:
election.
- **Dispatcher** – Configuration settings for the task dispatcher.
- **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
- - **CAConfig** – CA configuration.
+ - **CAConfig** – Certificate authority configuration.
- **NodeCertExpiry** – Automatic expiry for nodes certificates.
+ - **ExternalCA** - Configuration for forwarding signing requests to an external
+ certificate authority.
+ - **Protocol** - Protocol for communication with the external CA
+ (currently only "cfssl" is supported).
+ - **URL** - URL where certificate signing requests should be sent.
+ - **Options** - An object with key/value pairs that are interpreted
+ as protocol-specific options for the external CA driver.
### Join an existing Swarm
@@ -3793,6 +3800,13 @@ JSON Parameters:
- **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
- **CAConfig** – CA configuration.
- **NodeCertExpiry** – Automatic expiry for nodes certificates.
+ - **ExternalCA** - Configuration for forwarding signing requests to an external
+ certificate authority.
+ - **Protocol** - Protocol for communication with the external CA
+ (currently only "cfssl" is supported).
+ - **URL** - URL where certificate signing requests should be sent.
+ - **Options** - An object with key/value pairs that are interpreted
+ as protocol-specific options for the external CA driver.
## 3.8 Services
diff --git a/docs/reference/commandline/swarm_init.md b/docs/reference/commandline/swarm_init.md
index 35b77e4e2b..e8b752bd64 100644
--- a/docs/reference/commandline/swarm_init.md
+++ b/docs/reference/commandline/swarm_init.md
@@ -17,6 +17,7 @@ parent = "smn_cli"
Options:
--auto-accept value Acceptance policy (default [worker,manager])
+ --external-ca value Specifications of one or more certificate signing endpoints
--force-new-cluster Force create a new cluster from current state.
--help Print usage
--listen-addr value Listen address (default 0.0.0.0:2377)
@@ -34,7 +35,7 @@ ID NAME MEMBERSHIP STATUS AVAILABILITY MANAGER
1ujecd0j9n3ro9i6628smdmth * manager1 Accepted Ready Active Reachable Yes
```
-### --auto-accept value
+### `--auto-accept value`
This flag controls node acceptance into the cluster. By default, both `worker` and `manager`
nodes are auto accepted by the cluster. This can be changed by specifing what kinds of nodes
@@ -49,6 +50,13 @@ $ docker swarm init --listen-addr 192.168.99.121:2377 --auto-accept worker
Swarm initialized: current node (1m8cdsylxbf3lk8qriqt07hx1) is now a manager.
```
+### `--external-ca value`
+
+This flag sets up the swarm to use an external CA to issue node certificates. The value takes
+the form `protocol=X,url=Y`. The value for `protocol` specifies what protocol should be used
+to send signing requests to the external CA. Currently, the only supported value is `cfssl`.
+The URL specifies the endpoint where signing requests should be submitted.
+
### `--force-new-cluster`
This flag forces an existing node that was part of a quorum that was lost to restart as a single node Manager without losing its data
diff --git a/docs/reference/commandline/swarm_update.md b/docs/reference/commandline/swarm_update.md
index 6d77bd7234..7bbd270364 100644
--- a/docs/reference/commandline/swarm_update.md
+++ b/docs/reference/commandline/swarm_update.md
@@ -17,6 +17,7 @@ parent = "smn_cli"
Options:
--auto-accept value Auto acceptance policy (worker, manager or none)
+ --external-ca value Specifications of one or more certificate signing endpoints
--dispatcher-heartbeat duration Dispatcher heartbeat period (default 5s)
--help Print usage
--secret string Set secret value needed to accept nodes into cluster