Normalize the markdown for certificates page

This page was using some implicit code snippets (i.e. indent text by 8 spaces).
Grammar like this works but should be avoided when possible.

content/en/docs/tasks/administer-cluster/certificates.md

@@ -4,32 +4,34 @@ content_type: task
 weight: 20
 ---
 
-
 <!-- overview -->
 
 When using client certificate authentication, you can generate certificates
 manually through `easyrsa`, `openssl` or `cfssl`.
 
-
-
-
 <!-- body -->
 
 ### easyrsa
 
 **easyrsa** can manually generate certificates for your cluster.
 
-1.  Download, unpack, and initialize the patched version of easyrsa3.
+1. Download, unpack, and initialize the patched version of `easyrsa3`.
 
+   ```shell
    curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
    tar xzf easy-rsa.tar.gz
    cd easy-rsa-master/easyrsa3
    ./easyrsa init-pki
+   ```
 1. Generate a new certificate authority (CA). `--batch` sets automatic mode;
    `--req-cn` specifies the Common Name (CN) for the CA's new root certificate.
 
+   ```shell
    ./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass
+   ```
+
 1. Generate server certificate and key.
+
    The argument `--subject-alt-name` sets the possible IPs and DNS names the API server will
    be accessed with. The `MASTER_CLUSTER_IP` is usually the first IP from the service CIDR
    that is specified as the `--service-cluster-ip-range` argument for both the API server and
@@ -38,6 +40,7 @@ manually through `easyrsa`, `openssl` or `cfssl`.
    The sample below also assumes that you are using `cluster.local` as the default
    DNS domain name.
 
+   ```shell
    ./easyrsa --subject-alt-name="IP:${MASTER_IP},"\
    "IP:${MASTER_CLUSTER_IP},"\
    "DNS:kubernetes,"\
@@ -47,12 +50,17 @@ manually through `easyrsa`, `openssl` or `cfssl`.
    "DNS:kubernetes.default.svc.cluster.local" \
    --days=10000 \
    build-server-full server nopass
+   ```
+
 1. Copy `pki/ca.crt`, `pki/issued/server.crt`, and `pki/private/server.key` to your directory.
+
 1. Fill in and add the following parameters into the API server start parameters:
 
+   ```shell
    --client-ca-file=/yourdirectory/ca.crt
    --tls-cert-file=/yourdirectory/server.crt
    --tls-private-key-file=/yourdirectory/server.key
+   ```
 
 ### openssl
 
@@ -60,14 +68,24 @@ manually through `easyrsa`, `openssl` or `cfssl`.
 
 1. Generate a ca.key with 2048bit:
 
+   ```shell
    openssl genrsa -out ca.key 2048
-1.  According to the ca.key generate a ca.crt (use -days to set the certificate effective time):
+   ```
 
+1. According to the ca.key generate a ca.crt (use `-days` to set the certificate effective time):
+
+   ```shell
    openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
+   ```
+
 1. Generate a server.key with 2048bit:
 
+   ```shell
    openssl genrsa -out server.key 2048
+   ```
+
 1. Create a config file for generating a Certificate Signing Request (CSR).
+
    Be sure to substitute the values marked with angle brackets (e.g. `<MASTER_IP>`)
    with real values before saving this to a file (e.g. `csr.conf`).
    Note that the value for `MASTER_CLUSTER_IP` is the service cluster IP for the
@@ -75,6 +93,7 @@ manually through `easyrsa`, `openssl` or `cfssl`.
    The sample below also assumes that you are using `cluster.local` as the default
    DNS domain name.
 
+   ```ini
    [ req ]
    default_bits = 2048
    prompt = no
@@ -108,20 +127,33 @@ manually through `easyrsa`, `openssl` or `cfssl`.
    keyUsage=keyEncipherment,dataEncipherment
    extendedKeyUsage=serverAuth,clientAuth
    subjectAltName=@alt_names
+   ```
+
 1. Generate the certificate signing request based on the config file:
 
+   ```shell
    openssl req -new -key server.key -out server.csr -config csr.conf
+   ```
+
 1. Generate the server certificate using the ca.key, ca.crt and server.csr:
 
+   ```shell
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
        -CAcreateserial -out server.crt -days 10000 \
        -extensions v3_ext -extfile csr.conf
+   ```
+
 1. View the certificate signing request:
 
+   ```shell
    openssl req  -noout -text -in ./server.csr
+   ```
+
 1. View the certificate:
 
+   ```shell
    openssl x509  -noout -text -in ./server.crt
+   ```
 
 Finally, add the same parameters into the API server start parameters.
 
@@ -130,23 +162,31 @@ Finally, add the same parameters into the API server start parameters.
 **cfssl** is another tool for certificate generation.
 
 1. Download, unpack and prepare the command line tools as shown below.
+
    Note that you may need to adapt the sample commands based on the hardware
    architecture and cfssl version you are using.
 
+   ```shell
    curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o cfssl
    chmod +x cfssl
    curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o cfssljson
    chmod +x cfssljson
    curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 -o cfssl-certinfo
    chmod +x cfssl-certinfo
+   ```
+
 1. Create a directory to hold the artifacts and initialize cfssl:
 
+   ```shell
    mkdir cert
    cd cert
    ../cfssl print-defaults config > config.json
    ../cfssl print-defaults csr > csr.json
+   ```
+
 1. Create a JSON config file for generating the CA file, for example, `ca-config.json`:
 
+   ```json
    {
      "signing": {
        "default": {
@@ -165,10 +205,13 @@ Finally, add the same parameters into the API server start parameters.
        }
      }
    }
+   ```
+
 1. Create a JSON config file for CA certificate signing request (CSR), for example,
    `ca-csr.json`. Be sure to replace the values marked with angle brackets with
    real values you want to use.
 
+   ```json
    {
      "CN": "kubernetes",
      "key": {
@@ -183,16 +226,22 @@ Finally, add the same parameters into the API server start parameters.
        "OU": "<organization unit>"
      }]
    }
+   ```
+
 1. Generate CA key (`ca-key.pem`) and certificate (`ca.pem`):
 
+   ```shell
    ../cfssl gencert -initca ca-csr.json | ../cfssljson -bare ca
+   ```
+
 1. Create a JSON config file for generating keys and certificates for the API
    server, for example, `server-csr.json`. Be sure to replace the values in angle brackets with
-    real values you want to use. The `MASTER_CLUSTER_IP` is the service cluster
+   real values you want to use. The `<MASTER_CLUSTER_IP>` is the service cluster
    IP for the API server as described in previous subsection.
    The sample below also assumes that you are using `cluster.local` as the default
    DNS domain name.
 
+   ```json
    {
      "CN": "kubernetes",
      "hosts": [
@@ -217,13 +266,16 @@ Finally, add the same parameters into the API server start parameters.
        "OU": "<organization unit>"
      }]
    }
+   ```
+
 1. Generate the key and certificate for the API server, which are by default
    saved into file `server-key.pem` and `server.pem` respectively:
 
+   ```shell
    ../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
         --config=ca-config.json -profile=kubernetes \
         server-csr.json | ../cfssljson -bare server
-
+   ```
 
 ## Distributing Self-Signed CA Certificate
 
@@ -234,12 +286,12 @@ refresh the local list for valid certificates.
 
 On each client, perform the following operations:
 
-```bash
+```shell
 sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
 sudo update-ca-certificates
 ```
 
-```
+```none
 Updating certificates in /etc/ssl/certs...
 1 added, 0 removed; done.
 Running hooks in /etc/ca-certificates/update.d....
@@ -250,6 +302,6 @@ done.
 
 You can use the `certificates.k8s.io` API to provision
 x509 certificates to use for authentication as documented
-[here](/docs/tasks/tls/managing-tls-in-a-cluster).
+in the [Managing TLS in a cluster](/docs/tasks/tls/managing-tls-in-a-cluster)
-
+task page.