From a3b1810bdbc2be395d2e4035dd8ce45e4b5ce33b Mon Sep 17 00:00:00 2001
From: Michael Schurter <mschurter@hashicorp.com>
Date: Fri, 17 May 2024 14:49:48 -0700
Subject: [PATCH] doc: specify ca cert needs to be shared (#20620)

Specify that the Vault JWT auth method must be configured to trust Nomad's CA certificate when mTLS is enabled.
---
 website/content/docs/integrations/vault/acl.mdx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/integrations/vault/acl.mdx b/website/content/docs/integrations/vault/acl.mdx
index 1f1c7fdb2..f6fe3d099 100644
--- a/website/content/docs/integrations/vault/acl.mdx
+++ b/website/content/docs/integrations/vault/acl.mdx
@@ -295,7 +295,10 @@ your Vault and Nomad clusters are configured and deployed.
 It is highly recommended to use [mutual TLS][tutorial_mtls] in production
 deployments of Nomad. With mTLS enabled, the [`tls.verify_https_client`][]
 configuration must be set to `false` since it is not possible to provide client
-certificates to the Vault auth method.
+certificates to the Vault auth method. Nomad's CA certificate should be
+specified in the Vault auth method's
+[`jwks_ca_pem`](https://developer.hashicorp.com/vault/api-docs/auth/jwt#jwks_ca_pem)
+parameter.
 
 Alternatively, you may expose Nomad's JWKS URL from a proxy or a load balancer
 that handles the mutual TLS connection to Nomad and exposes the JWKS URL