From 330f87908585778ed741cbdc1b47a513721357a5 Mon Sep 17 00:00:00 2001
From: "Ariel Shaqed (Scolnicov)" <ariels@treeverse.io>
Date: Thu, 11 Apr 2024 11:13:46 +0300
Subject: [PATCH] Document how to use the Python SDK with a custom trusted CA
 bundle (#7652)

Fixes #7610.
---
 docs/integrations/python.md | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/docs/integrations/python.md b/docs/integrations/python.md
index 503765bcde6..9e6ffb7d11d 100644
--- a/docs/integrations/python.md
+++ b/docs/integrations/python.md
@@ -56,6 +56,19 @@ clt = Client(
 )
 ```
 
+You can use TLS with a CA that is not trusted on the host by configuring the
+client with a CA cert bundle file.  It should contain concatenated CA
+certificates in PEM format:
+```python
+clt = Client(
+    host="http://localhost:8000",
+    username="AKIAIOSFODNN7EXAMPLE",
+    password="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+    # Customize the CA certificates used to verify the peer.
+    ssl_ca_cert="path/to/concatenated_CA_certificates.PEM",
+)
+```
+
 For testing SSL endpoints you may wish to use a self-signed certificate.  If you do this and receive an `SSL: CERTIFICATE_VERIFY_FAILED` error message you might add the following configuration to your client:
 
 ```python
@@ -72,14 +85,14 @@ This setting allows well-known "man-in-the-middle",
 impersonation, and credential stealing attacks.  Never use this in any
 production setting.
 
-Optionally, to enable communication via proxies, simply set the proxy configuration:
+Optionally, to enable communication via proxies, add a proxy configuration:
 
 ```python
 clt = Client(
     host="http://localhost:8000",
     username="AKIAIOSFODNN7EXAMPLE",
     password="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
-    ssl_ca_cert="<path to a file of concatenated CA certificates in PEM format>",  # Set this to customize the certificate file to verify the peer
+    ssl_ca_cert="(if needed)",
     proxy="<proxy server URL>",
 )
 ```