From 6cb4b004da05a0d40819c4c2c0be2e660a9a1dda Mon Sep 17 00:00:00 2001
From: Jim Galasyn <jim.galasyn@docker.com>
Date: Wed, 12 Jul 2017 12:12:48 -0700
Subject: [PATCH] Add note about certs on CentOS (#3873)

* Add note about certs on CentOS

* Incorporate feedback
---
 notary/running_a_service.md | 38 +++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/notary/running_a_service.md b/notary/running_a_service.md
index 273b65dc6f..6ccb48594a 100644
--- a/notary/running_a_service.md
+++ b/notary/running_a_service.md
@@ -200,6 +200,44 @@ environment.
 The sample private key files in the Notary repository are obviously public knowledge
 and using them in a production deployment is highly insecure.
 
+### Certificates on CentOS
+
+For CentOS 6 and CentOS 7, use the following steps to add trusted root
+certificates.
+
+1.  Install the `ca-certificates` package: 
+    
+    ```bash
+    $ yum install ca-certificates
+    ```
+
+2.  Use the `update-ca-trust` command with the `force-enable` option
+    to enable dynamic CA configuration:
+
+    ```bash
+    $ update-ca-trust force-enable
+    ```
+
+3.  Copy the certificate to the `/etc/pki/ca-trust/source/anchors/` directory:
+
+    ```bash
+    $ cp your-cert.crt /etc/pki/ca-trust/source/anchors/`
+    ```
+
+4.  Use the `update-ca-trust` command to produce updated versions of the
+    consolidated configuration files:
+
+    ```bash
+    $ update-ca-trust extract
+    ```
+
+For CentOS 5, just add your certificate to the bundle. Append your trusted
+certificate to the bundle file at `/etc/pki/tls/certs/ca-bundle.crt`:
+
+```bash
+$ cat your-cert.crt >> /etc/pki/tls/certs/ca-bundle.crt
+```
+
 ### Databases
 
 The server and signer each require a database. These should be separate databases