docs/tlscerts: mention dropped 'encryption_key'

Older libvirt versions still only work if 'encryption_key' is enabled
in the server and client certificates. Add a note.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Sebastian Mitterle <smitterl@redhat.com>

diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst
index 9063e17fce464eebc7521cd6d8b9edefe02c3fb7..c10ab11b7f4be177d739ec0704d4752c25e0483d 100644 (file)
--- a/docs/kbase/tlscerts.rst
+++ b/docs/kbase/tlscerts.rst
@@ -104,6 +104,18 @@ connect provided they have a valid certificate issued by the CA for their own IP
 address. You may want to change this to make it less (or more) permissive,
 depending on your needs.
 
+The following sections will describe how to created the data needed for the TLS
+setup. They use templates to create Certificate Authority, server and client
+certificates.
+
+Important: versions of libvirt before 11.6.0 also required the ``encryption_key``
+flag in the server and client template. This is no longer mandated since it is
+not applicable for use with many modern cryptographic algorithms, but it is
+harmless if present as it will be ignored. If compatibility with both old and
+new libvirt versions is required, then this extra flag must be added when
+creating the certificate.
+
+
 Setting up a Certificate Authority (CA)
 ---------------------------------------