From 9079099c67cb242d19837fbe29603f31b93798fa Mon Sep 17 00:00:00 2001
From: Paris Larkins <paris.larkins@instaclustr.com>
Date: Tue, 24 Sep 2024 09:43:43 +1000
Subject: [PATCH] Update hot reload documentation section to show how the DN
 validation can be disabled

---
 _security/configuration/tls.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/_security/configuration/tls.md b/_security/configuration/tls.md
index a4115b8c25..0943a2fdb5 100755
--- a/_security/configuration/tls.md
+++ b/_security/configuration/tls.md
@@ -272,7 +272,15 @@ Updating expired or nearly expired TLS certificates does not require restarting
 This setting is `false` by default.
 {: .note }
 
-After enabling hot reloading, use the Reload Certificates API to replace the expired certificates. The API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. The new certificates also need be stored in the same location as the previous certificates in order to prevent any changes to the `opensearch.yml` file. 
+After enabling hot reloading, use the Reload Certificates API to replace the expired certificates. The new certificates need to be stored in the same location as the previous certificates in order to prevent any changes to the `opensearch.yml` file. 
+By default, the API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. This behaviour can be disabled by adding the following settings in `opensearch.yml`:
+
+```
+plugins.security.ssl.http.enforce_cert_reload_dn_verification: false
+plugins.security.ssl.transport.enforce_cert_reload_dn_verification: false
+```
+
+These settings are `true` by default.
 
 Only a [superadmin]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates) can use the Reload Certificates API.
 {: .note }