From 636ebdbbe6e8cb9f0a69e7160499fc4d10e1ee3e Mon Sep 17 00:00:00 2001
From: Jim Galasyn <jim.galasyn@docker.com>
Date: Fri, 11 Aug 2017 14:06:13 -0700
Subject: [PATCH] Add note about node IPs and certs (#216)

---
 .../use-your-own-tls-certificates.md          | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates.md b/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates.md
index ab56126d1d..92cbf800fb 100644
--- a/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates.md
+++ b/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates.md
@@ -55,6 +55,23 @@ If you deployed Docker Trusted Registry, you'll also need to reconfigure it
 to trust the new UCP TLS certificates.
 [Learn how to configure DTR](/datacenter/dtr/2.3/reference/cli/reconfigure.md).
 
+## Certificates and compose
+
+For compose to work correctly in the UCP web UI, when you upload your own
+certificates, they must contain the IP addresses of the swarm's nodes, as SANs.
+Get the IP addresses by using the `docker node inspect` command. 
+[Learn to add SANs to swarm certificates](add-sans-to-cluster.md).
+
+If you have stable host names, you can join your nodes by specifying the
+`--advertise-addr` option:  
+
+```bash
+docker swarm join ... --advertise-addr node1.com
+``` 
+
+In this example, the `docker node inspect` command reports `node1.com`, instead
+of the IP address.
+
 ## Where to go next
 
-* [Access UCP from the CLI](../../user/access-ucp/cli-based-access.md)
+* [Access UCP from the CLI](../../user/access-ucp/cli-based-access.md)
\ No newline at end of file