Document X509 identity format

dchristidis · bari12 · commit 569ff699d14e · 2023-05-05T13:51:02.000+02:00
diff --git a/docs/operator/configuration.md b/docs/operator/configuration.md
@@ -60,6 +60,25 @@ option:
   jdoe
 ```
 
+### X509 identity format
+
+By default, X509 identities must be formatted according to the relevant RFCs: a
+comma-separated list of the DN components, ordered last-to-first (e.g.
+`CN=jdoe,OU=Users,OU=Organic Units,DC=blih,DC=blah`).  However, operators might
+prefer to store them in the legacy format: a slash-separated list of the DN
+components, starting with a slash, ordered first-to-last (e.g.
+`/DC=blah/DC=blih/OU=Organic Units/OU=Users/CN=jdoe`).
+
+To do so, it is necessary to enable the `LegacyDNStringFormat` configuration
+option of mod_ssl.  When using the official Rucio container images, one must set
+the `RUCIO_HTTPD_LEGACY_DN` environmental variable to `True`.  For custom
+installations, one must edit the appropriate Apache configuration file so that
+the `SSLOptions` directive looks like this:
+
+```
+SSLOptions +StdEnvVars +LegacyDNStringFormat
+```
+
 ## Creating scope
 
 One needs then to create some scopes associated with the accounts:
