From c36e4fb17f63bfb798856d63bfd7d3bc2d05f70c Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 27 Aug 2025 10:56:24 +0200
Subject: [PATCH] DOC: configuration: reword 'generate-certificates'

Reword the 'generate-certificates' keyword documentation to clarify
what's happening upon error.

This was discussed in ticket #3082.
---
 doc/configuration.txt | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 795694227..5298a239a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16693,8 +16693,12 @@ generate-certificates
   name mismatch on the certificate presented to the client. With this option
   enabled, HAProxy will try to forge a certificate using the SNI hostname
   indicated by the client. This is done only if no certificate matches the SNI
-  hostname (see 'crt-list'). If an error occurs, the default certificate is
-  used, else the 'strict-sni' option is set.
+  hostname (see 'crt-list').
+
+  In the event of a certificate generation error, the connection will fall back
+  on the default certificate. When using 'strict-sni', the default certificate
+  will not be used and the connection will result in a handshake failure.
+
   It can also be used when HAProxy is configured as a reverse proxy to ease the
   deployment of an architecture with many backends.