Update CCM hub docs

webprofusion-chrisc · webprofusion-chrisc · commit a5375060b516 · 2025-03-28T09:40:52.000+08:00
diff --git a/docs/hub/guides/ccm.md b/docs/hub/guides/ccm.md
@@ -8,7 +8,7 @@ Joining your existing *Certify Certificate Manager* (CCM) instance to a Manageme
 
 To use Certify Management Hub with existing installations:
 
-1. Set up a Joining API key in the hub
+1. Set up a Joining API key in the hub (one is automatically created when the hub is installed).
 2. Configure CCM to join the hub (via UI or command line)
 3. Verify that the joining has completed in the hub UI
 
@@ -24,6 +24,41 @@ The management hub will have complete control over the Certify Certificate Manag
 
  :::
 
+## Joining the Hub
+
+By default a joining API key is created when you install the hub. This is found under Settings > Security > API Access. You will need the API URL, Client Id and Client Secret values.
+
+### Method 1: Using the Desktop User Interface
+
+1. In *Certify Certificate Manager*, go to **Settings > Management Hub**
+2. Enter the following:
+   - Management Hub API URL
+   - Client ID
+   - Client Secret
+3. Click **Join**
+4. The app will attempt to join the management hub
+5. If successful, the instance will appear in the **Instances** list of the Management Hub UI and managed certificates will be shown in the hub.
+
+### Method 2: Using the Command Line
+
+If you need to automate joining for a large number of instances you may prefer to script using the command line. To do so, run the following command (from `C:\Program Files\CertifyTheWeb\` as a member of Administrators):
+
+```
+certify hub join <url of mgmt hub API> <client id> <client secret>
+```
+
+## Verification
+
+After joining, confirm that your instance appears in the Management Hub UI's **Instances** list.
+
+
+# Using the Hub to manage a CCM instance
+
+Your *Certify Certificate Manager* install remains much the same as it was before, except it can also be externally managed via the hub. When you are working with individual setting such as Stored Credentials, Certificate Authority accounts etc these remain per-instance settings, so each instance of the app has it's own set of settings and you will selected the target instance when working with those. 
+
+The hub does not currently have global settings that can be pushed to all managed instances etc (such as a single ACME account, or specific stored credential).
+
+## Other Considerations
 ### Ensure Unique Instance IDs
 
 When CCM is installed, an InstanceID value is generated and stored in appsettings.json (on Windows).
@@ -37,7 +72,9 @@ Instance IDs must be valid (unique) GUID values. If in doubt:
 1. Delete your `appsettings.json` file (or just the instanceID field)
 2. Restart the Certify background service to let the app create a new one
 
-## Setting Up the Hub for Instance Management
+## Setting up additional joining keys
+ 
+If you manage instances across different organizations (e.g. if you are an MSP etc), consider creating multiple joining keys to partition by organization. This allows you to revoke hub access for specific groups without affecting unrelated instances.
 
 ### 1. Add a Security Principle for Managed Instances
 
@@ -53,8 +90,6 @@ This step may be unnecessary in current versions where it's auto-created.
 5. Select the `Management Hub Managed Instance` role from Available Roles
 6. Click **Save**
 
-**Note for MSPs:** If you manage instances across different organizations, consider creating multiple joining keys to partition by organization. This allows you to revoke hub access for specific groups without affecting unrelated instances.
-
 ### 2. Create an API Key for Joining Instances
 
 1. Navigate to **Settings > Security > API Access**
@@ -64,36 +99,4 @@ This step may be unnecessary in current versions where it's auto-created.
 5. Select **Management Hub Managed Instance** as the scoped role
 6. **Important:** Click **Add/Remove Role Scope** to add it to the scope list
 7. Click **Add** to create the new API token
-8. Copy the **Client ID** and **Secret** values - you'll need these for instance configuration
-
-## Joining the Hub
-
-### Method 1: Using the CCM User Interface
-
-1. In *Certify Certificate Manager*, go to **Settings > Management Hub**
-2. Enter the following:
-   - Management Hub API URL
-   - Client ID
-   - Client Secret
-3. Click **Join**
-4. The app will attempt to join the management hub
-5. If successful, the instance will appear in the **Instances** list of the Management Hub UI
-
-### Method 2: Using the Command Line
-
-Run the following command:
-
-```
-certify hub join <url of mgmt hub API> <client id> <client secret>
-```
-
-## Verification
-
-After joining, confirm that your instance appears in the Management Hub UI's **Instances** list.
-
-
-# Using the Hub to manage a CCM instance
-
-Your *Certify Certificate Manager* install remains much the same as it was before, except it can also be externally managed via the hub. When you are working with individual setting such as Stored Credentials, Certificate Authority accounts etc these remain per-instance settings, so each instance of the app has it's own set of settings and you will selected the target instance when working with those. 
-
-The hub does not currently have global settings that can be pushed to all managed instances etc (such as a single ACME account, or specific stored credential).
+8. Copy the **Client ID** and **Secret** values - you'll need these for instance configuration
