@@ -3644,8 +3644,15 @@ JSON Parameters:

           election.

     - **Dispatcher** – Configuration settings for the task dispatcher.

         - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.

-    - **CAConfig** – CA configuration.

+    - **CAConfig** – Certificate authority configuration.

         - **NodeCertExpiry** – Automatic expiry for nodes certificates.

+        - **ExternalCA** - Configuration for forwarding signing requests to an external

+          certificate authority.

+            - **Protocol** - Protocol for communication with the external CA

+              (currently only "cfssl" is supported).

+            - **URL** - URL where certificate signing requests should be sent.

+            - **Options** - An object with key/value pairs that are interpreted

+              as protocol-specific options for the external CA driver.

 ### Join an existing Swarm

@@ -3792,6 +3799,13 @@ JSON Parameters:

     - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.

 - **CAConfig** – CA configuration.

     - **NodeCertExpiry** – Automatic expiry for nodes certificates.

+    - **ExternalCA** - Configuration for forwarding signing requests to an external

+      certificate authority.

+        - **Protocol** - Protocol for communication with the external CA

+          (currently only "cfssl" is supported).

+        - **URL** - URL where certificate signing requests should be sent.

+        - **Options** - An object with key/value pairs that are interpreted

+          as protocol-specific options for the external CA driver.

 ## 3.8 Services

@@ -3645,8 +3645,15 @@ JSON Parameters:

           election.

     - **Dispatcher** – Configuration settings for the task dispatcher.

         - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.

-    - **CAConfig** – CA configuration.

+    - **CAConfig** – Certificate authority configuration.

         - **NodeCertExpiry** – Automatic expiry for nodes certificates.

+        - **ExternalCA** - Configuration for forwarding signing requests to an external

+          certificate authority.

+            - **Protocol** - Protocol for communication with the external CA

+              (currently only "cfssl" is supported).

+            - **URL** - URL where certificate signing requests should be sent.

+            - **Options** - An object with key/value pairs that are interpreted

+              as protocol-specific options for the external CA driver.

 ### Join an existing Swarm

@@ -3793,6 +3800,13 @@ JSON Parameters:

     - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.

 - **CAConfig** – CA configuration.

     - **NodeCertExpiry** – Automatic expiry for nodes certificates.

+    - **ExternalCA** - Configuration for forwarding signing requests to an external

+      certificate authority.

+        - **Protocol** - Protocol for communication with the external CA

+          (currently only "cfssl" is supported).

+        - **URL** - URL where certificate signing requests should be sent.

+        - **Options** - An object with key/value pairs that are interpreted

+          as protocol-specific options for the external CA driver.

 ## 3.8 Services

@@ -17,6 +17,7 @@ parent = "smn_cli"

 	Options:

 	      --auto-accept value   Acceptance policy (default [worker,manager])

+	      --external-ca value   Specifications of one or more certificate signing endpoints

 	      --force-new-cluster   Force create a new cluster from current state.

 	      --help                Print usage

 	      --listen-addr value   Listen address (default 0.0.0.0:2377)

@@ -34,7 +35,7 @@ ID                           NAME      MEMBERSHIP  STATUS  AVAILABILITY  MANAGER

 1ujecd0j9n3ro9i6628smdmth *  manager1  Accepted    Ready   Active        Reachable               Yes

 ```

-###	--auto-accept value

+### `--auto-accept value`

 This flag controls node acceptance into the cluster. By default, both `worker` and `manager`

 nodes are auto accepted by the cluster. This can be changed by specifing what kinds of nodes

@@ -49,6 +50,13 @@ $ docker swarm init --listen-addr 192.168.99.121:2377 --auto-accept worker

 Swarm initialized: current node (1m8cdsylxbf3lk8qriqt07hx1) is now a manager.

 ```

+### `--external-ca value`

+

+This flag sets up the swarm to use an external CA to issue node certificates. The value takes

+the form `protocol=X,url=Y`. The value for `protocol` specifies what protocol should be used

+to send signing requests to the external CA. Currently, the only supported value is `cfssl`.

+The URL specifies the endpoint where signing requests should be submitted.

+

 ### `--force-new-cluster`

 This flag forces an existing node that was part of a quorum that was lost to restart as a single node Manager without losing its data

@@ -17,6 +17,7 @@ parent = "smn_cli"

     Options:

           --auto-accept value               Auto acceptance policy (worker, manager or none)

+          --external-ca value               Specifications of one or more certificate signing endpoints

           --dispatcher-heartbeat duration   Dispatcher heartbeat period (default 5s)

           --help                            Print usage

           --secret string                   Set secret value needed to accept nodes into cluster