From ad42fe557e550d1f210636db31c4032cca9fa303 Mon Sep 17 00:00:00 2001
From: James Munnelly <james@munnelly.eu>
Date: Thu, 7 Mar 2019 19:10:33 +0000
Subject: [PATCH] Add note on temporary self signed certificates

Signed-off-by: James Munnelly <james@munnelly.eu>
---
 docs/tasks/issuing-certificates/index.rst | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docs/tasks/issuing-certificates/index.rst b/docs/tasks/issuing-certificates/index.rst
index a51f6d816..bcb0679e9 100644
--- a/docs/tasks/issuing-certificates/index.rst
+++ b/docs/tasks/issuing-certificates/index.rst
@@ -74,6 +74,23 @@ the `API reference documentation`_.
 .. _`#1269`: https://github.com/jetstack/cert-manager/issues/1269
 .. _`API reference documentation`: https://docs.cert-manager.io/en/release-0.7/reference/api-docs/index.html#certificatespec-v1alpha1
 
+Temporary certificates whilst issuing
+=====================================
+
+With some Issuer types, certificates can take a few minutes to be issued.
+
+A temporary untrusted certificate will be issued whilst this process takes
+places if another certificate does not already exist in the target Secret
+resource.
+
+This helps to improve compatibility with certain ingress controllers (e.g.
+ingress-gce_) which require a TLS certificate to be present at all times in
+order to function.
+
+After the real, valid certificate has been obtained, cert-manager will replace
+the temporary self signed certificate with the valid one, **but will retain the
+same private key**.
+
 Special fields on Certificate resources for ACME Issuers
 ========================================================
 
@@ -88,3 +105,5 @@ More information on setting these fields can be found in the
    :maxdepth: 2
 
    ingress-shim
+
+.. _ingress-gce: https://github.com/kubernetes/ingress-gce