2 files changed, 31 insertions, 0 deletions

diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index ef39b85..0265d55 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -777,6 +777,28 @@ correct signature.
 This capability is intended to allow the use of arbitrary cryptographic
 service providers with OpenVPN via the management interface.
 
+COMMAND -- certificate (OpenVPN 2.4 or higher)
+----------------------------------------------
+Provides support for external storage of the certificate. Requires the
+--management-external-cert option. This option can be used instead of "cert"
+in client mode. On SSL protocol initialization a notification will be sent
+to the management interface with a hint as follows:
+
+>NEED-CERTIFICATE:macosx-keychain:subject:o=OpenVPN-TEST
+
+The management interface client should use the hint to obtain the specific
+SSL certificate and then return base64 encoded certificate as follows:
+
+certificate
+[BASE64_CERT_LINE]
+.
+.
+.
+END
+
+This capability is intended to allow the use of certificates
+stored outside of the filesystem (e.g. in Mac OS X Keychain)
+with OpenVPN via the management interface.
 
 OUTPUT FORMAT
 -------------
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 9551566..8b3e1a2 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2591,6 +2591,15 @@ Allows usage for external private key file instead of
 option (client-only).
 .\"*********************************************************
 .TP
+.B \-\-management-external-cert certificate-hint
+Allows usage for external certificate instead of
+.B \-\-cert
+option (client-only).
+.B certificate-hint
+is an arbitrary string which is passed to a management
+interface client as an argument of NEED-CERTIFICATE notification.
+.\"*********************************************************
+.TP
 .B \-\-management-forget-disconnect
 Make OpenVPN forget passwords when management session
 disconnects.