@@ -909,10 +909,21 @@ added: v0.11.13
909909 the same order as their private keys in ` key ` . If the intermediate
910910 certificates are not provided, the peer will not be able to validate the
911911 certificate, and the handshake will fail.
912- * ` ca ` {string|string[ ] |Buffer|Buffer[ ] } Optional CA certificates to trust.
913- Default is the well-known CAs from Mozilla. When connecting to peers that
914- use certificates issued privately, or self-signed, the private root CA or
915- self-signed certificate must be provided to verify the peer.
912+ * ` ca ` {string|string[ ] |Buffer|Buffer[ ] } Optionally override the trusted CA
913+ certificates. Default is to trust the well-known CAs curated by Mozilla.
914+ Mozilla's CAs are completely replaced when CAs are explicitly specified
915+ using this option. The value can be a string or Buffer, or an Array of
916+ strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs
917+ concatenated together. The peer's certificate must be chainable to a CA
918+ trusted by the server for the connection to be authenticated. When using
919+ certificates that are not chainable to a well-known CA, the certificate's CA
920+ must be explicitly specified as a trusted or the connection will fail to
921+ authenticate.
922+ If the peer uses a certificate that doesn't match or chain to one of the
923+ default CAs, use the ` ca ` option to provide a CA certificate that the peer's
924+ certificate can match or chain to.
925+ For self-signed certificates, the certificate is its own CA, and must be
926+ provided.
916927 * ` crl ` {string|string[ ] |Buffer|Buffer[ ] } Optional PEM formatted
917928 CRLs (Certificate Revocation Lists).
918929 * ` ciphers ` {string} Optional cipher suite specification, replacing the
0 commit comments