The --ignition-ca docs in installation-user-infra-machines-advanced-customizing-live-ca-certs.adoc work in concert with the "Customizing a live RHCOS ISO image" procedure, which recommends using --dest-ignition to embed the Ignition config in the ISO or PXE image. However, the docs don't say that --dest-ignition is required, and some users might opt to skip it in favor of the more-traditional coreos.inst.ignition_url kernel argument. That would allow them to reuse the customized image in multiple clusters, rather than re-customizing the image for each cluster.

However, it currently doesn't work, because --ignition-ca doesn't affect coreos-installer's fetching of the config:

coreos-installer-service[...]: Error fetching 'https://.../worker.ign': error sending request for url (https://.../worker.ign): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)

Possible docs workarounds:

• Explicitly say that --dest-ignition, and not coreos.inst.ignition_url, must be used with --ignition-ca.  This does require customizing the image for each cluster.
• Document creating an Ignition config for the live system (maybe with Butane?) which writes the CA certificate to the correct place in /etc, and adding that config to the customized image with --live-ignition.  This is more intricate but allows the continued use of coreos.inst.ignition_url.

cc rhn-support-jdohmann