4 files changed, 39 insertions, 16 deletions

diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
index 502d1e1b..00ba179a 100644
--- a/docs/configuration/service/dhcp-server.rst
+++ b/docs/configuration/service/dhcp-server.rst
@@ -379,9 +379,7 @@ statements on both servers:
 
 .. cfgcmd:: set service dhcp-server high-availability name <name>
 
-   A generic `<name>` referencing this sync service.
-
-   .. note:: `<name>` must be identical on both sides!
+   Define the name of the peer server to establish and identify the HA (High Availability) connection.
 
 .. cfgcmd:: set service dhcp-server high-availability status <primary
    | secondary>
@@ -610,8 +608,8 @@ Configuration of a DHCP HA pair:
 * Setup DHCP HA for network 192.0.2.0/24
 * Use active-active HA mode.
 * Default gateway and DNS server is at `192.0.2.254`
-* The primary DHCP server uses address `192.168.189.252`
-* The secondary DHCP server uses address `192.168.189.253`
+* The primary DHCP server named dhcp-primary uses address `192.168.189.252`
+* The secondary DHCP server with named dhcp-secondary uses address `192.168.189.253`
 * DHCP range spans from `192.168.189.10` - `192.168.189.250`
 
 Common configuration, valid for both primary and secondary node.
@@ -632,7 +630,7 @@ Common configuration, valid for both primary and secondary node.
 
   set service dhcp-server high-availability mode 'active-active'
   set service dhcp-server high-availability source-address '192.168.189.252'
-  set service dhcp-server high-availability name 'NET-VYOS'
+  set service dhcp-server high-availability name 'dhcp-secondary'
   set service dhcp-server high-availability remote '192.168.189.253'
   set service dhcp-server high-availability status 'primary'
 
@@ -642,7 +640,7 @@ Common configuration, valid for both primary and secondary node.
 
   set service dhcp-server high-availability mode 'active-active'
   set service dhcp-server high-availability source-address '192.168.189.253'
-  set service dhcp-server high-availability name 'NET-VYOS'
+  set service dhcp-server high-availability name 'dhcp-primary'
   set service dhcp-server high-availability remote '192.168.189.252'
   set service dhcp-server high-availability status 'secondary'
 
diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst
index ef06bcd5..5d7acd5a 100644
--- a/docs/configuration/service/ipoe-server.rst
+++ b/docs/configuration/service/ipoe-server.rst
@@ -174,11 +174,12 @@ RADIUS advanced options
 
 .. cfgcmd:: set service ipoe-server authentication radius dynamic-author server <address>
 
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA). 
+  This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
 
 .. cfgcmd:: set service ipoe-server authentication radius dynamic-author port <port>
 
-  Port for Dynamic Authorization Extension server (DM/CoA)
+  UDP port for Dynamic Authorization Extension server (DM/CoA)
 
 .. cfgcmd:: set service ipoe-server authentication radius dynamic-author key <secret>
 
diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst
index 6d818c70..f763536a 100644
--- a/docs/configuration/service/pppoe-server.rst
+++ b/docs/configuration/service/pppoe-server.rst
@@ -144,12 +144,13 @@ RADIUS advanced options
 .. cfgcmd:: set service pppoe-server authentication radius
    dynamic-author server <address>
 
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA). 
+  This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
 
 .. cfgcmd:: set service pppoe-server authentication radius
    dynamic-author port <port>
 
-  Port for Dynamic Authorization Extension server (DM/CoA)
+  UDP port for Dynamic Authorization Extension server (DM/CoA)
 
 .. cfgcmd:: set service pppoe-server authentication radius dynamic-author
    key <secret>
@@ -681,4 +682,4 @@ a /56 subnet for the clients internal use.
 .. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/
    accel-pppd/radius/dict/dictionary.rfc6911
 .. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/
-   blob/master/accel-pppd/radius/dict/dictionary.accel
\ No newline at end of file
+   blob/master/accel-pppd/radius/dict/dictionary.accel
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index 4fa44d3e..c9969aa6 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -129,11 +129,34 @@ Configuration
   ``rsa-sha2-256-cert-v01@openssh.com``, ``rsa-sha2-512``,
   ``rsa-sha2-512-cert-v01@openssh.com``
 
-.. cfgcmd:: set service ssh trusted-user-ca-key ca-certificate <ca_cert_name>
+.. cfgcmd:: set service ssh trusted-user-ca <name>
+
+  Specify the name of the OpenSSH key-pair that acts as certificate authority
+  and will be used to verify user certificates.
+
+  You can use it by adding the OpenSSH key-pair under the PKI subsystem.
+
+  Example:
+
+  .. code-block:: none
+
+    # Generate key-pair acting as CA
+    $ ssh-keygen -f vyos-ssh-ca.key
+
+    # Generate key for user: vyos_testca
+    $ ssh-keygen -f vyos_testca  -C "vyos_tesca@vyos.net"
+
+    # Sign public key from user vyos_testca and insert principal names: vyos, vyos_testca
+    # with a key lifetime of two weeks - after which the key is unusable
+    $ ssh-keygen -s vyos-ssh-ca.key -I vyos_testca@vyos.net -n vyos,vyos_testca -V +2w vyos_testca.pub
+
+    $ set system login user vyos_testca
+    $ set pki openssh test_ca public key AAAAB3N.....
+    $ set pki openssh test_ca public type ssh-rsa
+    $ set service ssh trusted-user-ca test_ca
+
+  You can now log into the system using: ``ssh -i vyos_testca vyos_testca@vyos.test.com``
 
-  Specify the name of the CA certificate that will be used to verify the user
-  certificates.
-  You can use it by adding the CA certificate with the PKI command.
 
 Dynamic-protection
 ==================