From fd29187499d48a36926eb35353a126ff269584d6 Mon Sep 17 00:00:00 2001
From: Kent 'picat' Gruber <kent@hashicorp.com>
Date: Fri, 6 Nov 2020 10:15:26 -0500
Subject: [PATCH] Add mention of auto_encrypt to mTLS requirements

---
 website/pages/docs/security/security-models/core.mdx | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/website/pages/docs/security/security-models/core.mdx b/website/pages/docs/security/security-models/core.mdx
index d09c983dd3..76c0010601 100644
--- a/website/pages/docs/security/security-models/core.mdx
+++ b/website/pages/docs/security/security-models/core.mdx
@@ -94,7 +94,7 @@ environment and adapt these configurations accordingly.
     should almost always be set to true to require mTLS to set up the client for HTTP or gRPC health checks. This was 
     added in Consul 1.0.1.
 
-  - [`verify_server_hostname`](/docs/agent/options#verify_server_hostname)  - By default this is false, and should be 
+  - [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) - By default this is false, and should be 
     set to true to require that the TLS certificate presented by the servers matches
     `server.<datacenter>.<domain>` hostname for outgoing TLS connections. The default configuration does not verify the 
     hostname of the certificate, only that it is signed by a trusted CA. This setting is critical to prevent a 
@@ -105,6 +105,16 @@ environment and adapt these configurations accordingly.
     [CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) for more details. This is fixed 
     in 1.4.1.
 
+  - [`auto_encrypt`](/docs/agent/options#auto_encrypt) - Enables automated TLS certificate distribution for client
+    agent RPC communication using the Connect CA. Using this configuration a [`ca_file`](/docs/agent/options#ca_file) 
+    and ACL token would still need to be distributed to client agents.
+  
+    - [`allow_tls`](/docs/agent/options#allow_tls) - By default this is false, and should be set to true on server 
+      agents to allow certificates to be automatically generated and distributed from the Connect CA to client agents. 
+  
+    - [`tls`](/docs/agent/options#tls) - By default this false, and should be set to true on client agents to 
+      automatically request a client TLS certificate from the server's Connect CA.
+
     **Example Server Agent TLS Configuration**
 
     ```hcl