From 791b808055d7c874700a389676adecbdd32c3bbd Mon Sep 17 00:00:00 2001
From: xixirangrang <hfxsd@hotmail.com>
Date: Tue, 30 Apr 2024 16:53:33 +0800
Subject: [PATCH] fix pd cert allowed cn description (#17397)

---
 enable-tls-between-components.md | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md
index af73a7887ddfc..3f48566c2da66 100644
--- a/enable-tls-between-components.md
+++ b/enable-tls-between-components.md
@@ -158,16 +158,17 @@ The Common Name is used for caller verification. In general, the callee needs to
 
 To verify component caller's identity, you need to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee.
 
+> **Note:**
+>
+> Currently the `cert-allowed-cn` configuration item of the PD can only be set to one value. Therefore, the `commonName` of all authentication objects must be set to the same value.
+
 - TiDB
 
     Configure in the configuration file or command-line arguments:
 
     ```toml
     [security]
-    cluster-verify-cn = [
-        "TiDB-Server",
-        "TiKV-Control",
-    ]
+    cluster-verify-cn = ["TiDB"]
     ```
 
 - TiKV
@@ -176,9 +177,7 @@ To verify component caller's identity, you need to mark the certificate user ide
 
     ```toml
     [security]
-    cert-allowed-cn = [
-        "TiDB-Server", "PD-Server", "TiKV-Control", "RawKvClient1",
-    ]
+    cert-allowed-cn = ["TiDB"]
     ```
 
 - PD
@@ -187,7 +186,7 @@ To verify component caller's identity, you need to mark the certificate user ide
 
     ```toml
     [security]
-    cert-allowed-cn = ["TiKV-Server", "TiDB-Server", "PD-Control"]
+    cert-allowed-cn = ["TiDB"]
     ```
 
 - TiFlash (New in v4.0.5)
@@ -196,14 +195,14 @@ To verify component caller's identity, you need to mark the certificate user ide
 
     ```toml
     [security]
-    cert_allowed_cn = ["TiKV-Server", "TiDB-Server"]
+    cert_allowed_cn = ["TiDB"]
     ```
 
     Configure in the `tiflash-learner.toml` file:
 
     ```toml
     [security]
-    cert-allowed-cn = ["PD-Server", "TiKV-Server", "TiFlash-Server"]
+    cert-allowed-cn = ["TiDB"]
     ```
 
 ## Reload certificates