From c184d875586a0ff383d1f654b8004fbb383e4649 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.org>
Date: Fri, 26 Jun 2020 15:39:57 +0200
Subject: [PATCH] DOC: ssl: update the documentation of "commit ssl cert"

Update the documentation of "commit ssl cert" in management.txt to
explain the behavior with new certificates.
---
 doc/management.txt | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/doc/management.txt b/doc/management.txt
index 181dcf904..00ce3909e 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -1500,14 +1500,23 @@ clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
     >>> # table: http_proxy, type: ip, size:204800, used:1
 
 commit ssl cert <filename>
-  Commit and apply a temporary SSL certificate update transaction.
-  Generate every SSL contextes and SNIs it needs, insert them, and remove
-  the previous ones. Replace in memory the previous SSL certificates
-  everywhere the <filename> was used in the configuration.
-  Upon failure it doesn't remove or insert anything. Once the temporary
-  transaction is committed, it is destroyed.
+  Commit a temporary SSL certificate update transaction.
 
-  See also "ssl set cert" and "abort ssl cert".
+  In the case of an existing certificate (in a "Used" state in "show ssl
+  cert"), generate every SSL contextes and SNIs it need, insert them, and
+  remove the previous ones. Replace in memory the previous SSL certificates
+  everywhere the <filename> was used in the configuration. Upon failure it
+  doesn't remove or insert anything. Once the temporary transaction is
+  committed, it is destroyed.
+
+  In the case of a new certificate (after a "new ssl cert" and in a "Unused"
+  state in "show ssl cert"), the certificate will be commited in a certificate
+  storage, but it won't be used anywhere in haproxy. To use it and generate
+  its SNIs you will need to add it to a crt-list or a directory with "add ssl
+  crt-list".
+
+  See also "new ssl cert", "ssl set cert", "abort ssl cert" and
+  "add ssl crt-list".
 
 debug dev <command> [args]*
   Call a developer-specific command. Only supported on a CLI connection running