Add client certificate authentication and changes to related pages

Signed-off-by: Maria Bermudez <bermudez.mt@gmail.com>

Signed-off-by: Maria Bermudez <bermudez.mt@gmail.com>

_data/toc.yaml

@@ -1327,6 +1327,8 @@ manuals:
         title: Environment variables
     - path: /ee/end-to-end-install/
       title: Install components individually
+  - path: /ee/enable-client-certificate-authentication/
+    title: Enable client certificate authentication with your PKI
   - sectiontitle: Back up Docker Enterprise
     section:
     - path: /ee/admin/backup/

ee/dtr/admin/configure/enable-single-sign-on.md

@@ -4,42 +4,29 @@ description: Learn how to set up single sign-on between UCP and DTR, so that you
 keywords: dtr, login, sso
 ---
 
-By default, users are shared between UCP and DTR, but you have to authenticate
-separately on the web UI of both applications.
+Users are shared between UCP and DTR by default, but the applications have separate browser-based interfaces which require authentication.
 
-You can configure DTR to have single sign-on (SSO) with UCP, so that users only
-have to authenticate once.
+To only authenticate once, you can configure DTR to have single sign-on (SSO) with UCP.
 
 > **Note**: After configuring single sign-on with DTR, users accessing DTR via 
 > `docker login` should create an [access token](/ee/dtr/user/access-tokens/) and use it to authenticate. 
 
-## At installation time
+## At install time
 
-When installing DTR, use the `docker/dtr install --dtr-external-url <url>`
-option to enable SSO. When accessing the DTR web UI, users are redirected to the
-UCP login page, and once they are authenticated, they're redirected to the URL
-you provided to `--dtr-external-url`.
+When [installing DTR](/reference/dtr/2.7/install/), pass the `--dtr-external-url <url>`
+option to enable SSO. This makes it so that when you access DTR's web interface, you are redirected to the UCP login page for authentication. Upon successfully logging in, you are then redirected to your specified DTR external URL during installation.
 
-Use the domain name of DTR, or the domain name of a load balancer, if you're
-using one, to load-balance requests across multiple DTR replicas.
+[Specify the Fully Qualified Domain Name (FQDN)](/use-your-own-tls-certificates/) of your DTR, or a load balancer, to load-balance requests across multiple DTR replicas.
 
-## After install
+## Post-installation
 
-In your browser, navigate to the DTR web UI, and choose **Settings**. In the
-**General** tab, scroll to **Domain & proxies**.
-
-Update the **Load balancer / public address** field to the url where users
-should be redirected once they are logged in.
-Use the domain name of DTR, or the domain name of a load balancer, if you're
-using one, to load-balance requests across multiple DTR replicas.
-
-Then enable **Use single sign-on**.
-
-![](../../images/enable-sso-1.png){: .with-border}
-
-Once you save, users are redirected to UCP for logging in, and redirected back to
-DTR once they are authenticated.
+1. Navigate to `https://<dtr-url>` and log in with your credentials. 
+2. Select **System** from the left navigation pane, and scroll down to **Domain & Proxies**. 
+3. Update the **Load balancer / Public Address** field with the external URL where users
+should be redirected once they are logged in. Click **Save** to apply your changes.
+4. Toggle **Single Sign-on** to automatically redirect users to UCP for logging in.
 
 ## Where to go next
 
-- [Use your own TLS certificates](use-your-own-tls-certificates.md)
+- [Use your own TLS certificates](use-your-own-tls-certificates)
+- [Enable authentication using client certificates](/ee/enable-authentication-via-client-certs/)

ee/dtr/admin/configure/license-your-installation.md

@@ -4,35 +4,53 @@ description: Learn how to license your Docker Trusted Registry installation.
 keywords: dtr, install, license
 ---
 
-By default, you don't need to license your Docker Trusted Registry. When
-installing DTR, it automatically starts using the same license file used on
-your Docker Universal Control Plane cluster.
+By default, Docker Trusted Registry (DTR) automatically uses the same license file applied to
+your Universal Control Plane (UCP). In the following scenarios, you need to
+manually apply a license to your DTR:
 
-However, there are some situations when you have to manually license your
-DTR installation:
-
-* When upgrading to a new major version,
-* When your current license expires.
+* Major version upgrade
+* License expiration
 
 
 ## Download your license
 
-Go to [Docker Hub](https://hub.docker.com/editions/enterprise/docker-ee-trial)
-to download a trial license.
+Visit Docker Hub's [Enterprise Trial page](https://hub.docker.com/editions/enterprise/docker-ee-trial) to start your one-month trial. After signing up, you should receive a confirmation email with a link to your subscription page. You can find your **License Key** in the **Resources** section of the Docker Enterprise Setup Instructions page.  
 
-![](../../images/license-1.png){: .with-border}
+![](/ee/dtr/images/license-1.png){: .with-border}
 
+Click "License Key" to download your license.
 
 ## License your installation
 
-Once you've downloaded the license file, you can apply it to your DTR
-installation. Navigate to the **DTR web UI**, and then go to the **Settings
-page**.
+After downloading your license key, navigate to `https://<dtr-url>` and log in with your credentials.
+Select **System** from the left navigation pane, and click *Apply new license* to upload your license
+key.
+
+![](/ee/dtr/images/license-2.png){: .with-border}
+
+## View licensing information
+
+You can send a `GET` request to `api/v0/admin/settings/license` to view more details on the license applied to your DTR. Use your DTR Fully Qualified Domain Name (FQDN) as the base URL for your API request.
 
-![](../../images/license-2.png){: .with-border}
+### Example API request
+```bash
+curl -u docker:$TOKEN -X GET "https://34.219.67.189/api/v0/admin/settings/license -H "accept: application/json"
+```
 
-Click the **Apply new license** button, and upload your new license file.
+### Example API response
+```json
+{
+  "is_valid": true,
+  "auto_refresh": false,
+  "scanning_enabled": true,
+  "expiration": "2019-07-09T22:26:01Z",
+  "key_id": "2SDaULA3xBvQ8Hrp-05-7_JPrWdthGINT0ZI3ArdhAK6",
+  "tier": "Advanced",
+  "type": "Offline"
+}
+```
 
 ## Where to go next
 
-- [Enable single sign-on](enable-single-sign-on.md)
+- [Use your own TLS certificates](use-your-own-tls-certificates)
+- [Enable single sign-on](enable-single-sign-on)

ee/dtr/admin/configure/use-your-own-tls-certificates.md

@@ -1,44 +1,45 @@
 ---
 title: Use your own TLS certificates
 description: Learn how to configure Docker Trusted Registry with your own TLS certificates.
-keywords: dtr, tls
+keywords: dtr, tls, certificates, security
 ---
 
-By default the DTR services are exposed using HTTPS, to ensure all
-communications between clients and DTR is encrypted. Since DTR
-replicas use self-signed certificates for this, when a client accesses
-DTR, their browsers won't trust this certificate, so the browser displays a
-warning message.
+Docker Trusted Registry (DTR) services are exposed using HTTPS by default. This ensures encrypted communications between clients and your trusted registry. If you do not pass a PEM-encoded TLS certificate during installation, DTR will generate a [self-signed certificate](https://en.wikipedia.org/wiki/Self-signed_certificate). This leads to an insecure site warning when accessing DTR through a browser. Additionally, DTR includes an [HSTS (HTTP Strict-Transport-Security) header](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) in all API responses which can further lead to your browser refusing to load DTR's web interface.
 
-You can configure DTR to use your own certificates, so that it is automatically
-trusted by your users' browser and client tools.
+You can configure DTR to use your own TLS certificates, so that it is automatically
+trusted by your users' browser and client tools. As of v2.7, you can also [enable user authentication via client certificates](/ee/enable-authentication-via-client-certs/) provided by your organization's public key infrastructure (PKI).  
 
 ## Replace the server certificates
 
-To configure DTR to use your own certificates and keys, go to the
-**DTR web UI**, navigate to the **Settings** page, and scroll down to the
-**Domain** section.
+You can upload your own TLS certificates and keys using the web interface, or pass them as CLI options when installing or reconfiguring your DTR instance.
 
-![](../../images/use-your-certificates-1.png){: .with-border}
+### Web interface
 
+Navigate to `https://<dtr-url>` and log in with your credentials. Select **System** from the left navigation pane, and scroll down to **Domain & Proxies**. 
 
-Set the DTR domain name and upload the certificates and key:
+![](/ee/dtr/images/use-your-certificates-1.png){: .with-border}
 
-* Load balancer/public address, is the domain name clients will use to access DTR.
-* TLS certificate, is the server certificate and any intermediate CA public
-certificates. This certificate needs to be valid for the DTR public address,
+Enter your DTR domain name and upload or copy and paste the certificate details:
+
+* ***Load balancer/public address.*** The domain name clients will use to access DTR.
+* ***TLS private key.*** The server private key.
+* ***TLS certificate chain.*** The server certificate and any intermediate public
+certificates from your certificate authority (CA). This certificate needs to be valid for the DTR public address,
 and have SANs for all addresses used to reach the DTR replicas, including load
 balancers.
-* TLS private key is the server private key.
-* TLS CA is the root CA public certificate.
+* ***TLS CA.*** The root CA public certificate.
 
-Finally, click **Save** for the changes to take effect.
+Click **Save** to apply your changes.
 
-If you're using certificates issued by a globally trusted certificate authority,
+If you've added certificates issued by a globally trusted CA,
 any web browser or client tool should now trust DTR. If you're using an internal
-certificate authority, you'll need to configure your system to trust that
-certificate authority.
+CA, you will need to configure your system to trust that
+CA.
 
-## Where to go next
+### Command line interface
 
-- [Set up external storage](external-storage/index.md)
+See [docker/dtr install](/reference/dtr/2.7/cli/install/) and [docker/dtr reconfigure](/reference/dtr/2.7/cli/reconfigure/) for TLS certificate options and usage. 
+
+## Where to go next
+- [Enable single sign-on](enable-single-sign-on)
+- [Set up external storage](external-storage)