document pomerium-cli client cert functionality

kenjenkins · kenjenkins · commit 621a8efdabab · 2023-09-20T12:18:20.000-07:00
diff --git a/content/docs/capabilities/tcp.mdx b/content/docs/capabilities/tcp.mdx
@@ -113,6 +113,24 @@ pomerium-cli tcp tcp+https://proxy.corp.example.com:8443/redis.internal.example.
 
 The command above connects to `https://pomerium.corp.example.com:8443` and then requests the TCP route for `redis.internal.example.com:6379`.
 
+### Client Certificates
+
+If Pomerium is configured to require client certificates, you will also need to provide a client certificate and private key when invoking the `pomerium-cli` command.
+
+You can specify these either by using PEM files, or (starting in v0.23) by searching for a certificate in the system trust store (on macOS and Windows only).
+
+To specify a client certificate and key using PEM files:
+
+```bash
+pomerium-cli tcp --client-cert cert.pem --client-key key.pem redis.corp.example.com:6379
+```
+
+To search for a client certificate in the system trust store you will need to specify the Common Name of the client certificate's issuer:
+
+```bash
+pomerium-cli tcp --client-cert-issuer-cn "intermediate CA T1" redis.corp.example.com:6379
+```
+
 ## Service-Specific Documentation
 
 We've outlined how to use a TCP tunnel through Pomerium for several popular services that use TCP connections:
diff --git a/content/docs/capabilities/tcp/reference.md b/content/docs/capabilities/tcp/reference.md
@@ -25,6 +25,7 @@ pomerium-cli tcp [destination] [flags]
 | <a className="entRef-anchor" id="--ca-cert">#</a><a href='#--ca-cert'>--ca-cert</a> | Path to CA certificate to use for HTTP requests. | string |
 | <a className="entRef-anchor" id="--client-cert">#</a><a href='#--client-cert'>--client-cert</a> | (optional) PEM-encoded client certificate. | string |
 | <a className="entRef-anchor" id=" --client-key">#</a><a href='# --client-key'> --client-key</a> | (optional) PEM-encoded client certificate key. | string |
+| <a className="entRef-anchor" id="--client-cert-issuer-cn">#</a><a href='#--client-cert-issuer-cn'> --client-cert-issuer-cn</a> | (optional) If provided, pomerium-cli will attempt to use a client certificate from the system trust store (macOS and Windows only), searching for a certificate whose Issuer matches the provided Common Name. | string |
 | <a className="entRef-anchor" id=" --disable-tls-verification">#</a><a href='# --disable-tls-verification'>--disable-tls-verification</a> | Disables TLS verification. | none |
 | <a className="entRef-anchor" id="--help">#</a><a href='#--help'>-h, --help</a> | Help for tcp. | none |
 | <a className="entRef-anchor" id="--listen">#</a><a href='#--listen'>--listen</a> | Local address to start a listener on (default "127.0.0.1:0"). | string |
