@@ -906,10 +906,21 @@ added: v0.11.13
906906 the same order as their private keys in ` key ` . If the intermediate
907907 certificates are not provided, the peer will not be able to validate the
908908 certificate, and the handshake will fail.
909- * ` ca ` {string|string[ ] |Buffer|Buffer[ ] } Optional CA certificates to trust.
910- Default is the well-known CAs from Mozilla. When connecting to peers that
911- use certificates issued privately, or self-signed, the private root CA or
912- self-signed certificate must be provided to verify the peer.
909+ * ` ca ` {string|string[ ] |Buffer|Buffer[ ] } Optionally override the trusted CA
910+ certificates. Default is to trust the well-known CAs curated by Mozilla.
911+ Mozilla's CAs are completely replaced when CAs are explicitly specified
912+ using this option. The value can be a string or Buffer, or an Array of
913+ strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs
914+ concatenated together. The peer's certificate must be chainable to a CA
915+ trusted by the server for the connection to be authenticated. When using
916+ certificates that are not chainable to a well-known CA, the certificate's CA
917+ must be explicitly specified as a trusted or the connection will fail to
918+ authenticate.
919+ If the peer uses a certificate that doesn't match or chain to one of the
920+ default CAs, use the ` ca ` option to provide a CA certificate that the peer's
921+ certificate can match or chain to.
922+ For self-signed certificates, the certificate is its own CA, and must be
923+ provided.
913924 * ` crl ` {string|string[ ] |Buffer|Buffer[ ] } Optional PEM formatted
914925 CRLs (Certificate Revocation Lists).
915926 * ` ciphers ` {string} Optional cipher suite specification, replacing the
0 commit comments