Document OCSP remap requirement

doc/admin-guide/security/index.en.rst

@@ -334,6 +334,14 @@ Authority Information Access field of the signed certificate. For example::
                 OCSP - URI:http://ocsp.digicert.com
                 CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
 
+Before ATS 10, OCSP fetches were handled by OpenSSL. Starting in ATS 10,
+|TS| performs the OCSP fetch itself through FetchSM, so the OCSP responder URL
+must also be reachable through :file:`remap.config`. For example, if the
+certificate points to ``http://ocsp.digicert.com/`` as its OCSP responder, add
+the following mapping::
+
+    map http://ocsp.digicert.com/ http://ocsp.digicert.com/
+
 |TS| can also use prefetched OCSP stapling responses if ssl_ocsp_name parameter
 is used in :file:`ssl_multicert.config`. Take into account that when using prefetched
 OCSP stapling responses, |TS| will not refresh them and it should be done
@@ -395,4 +403,3 @@ To configure Split DNS:
          enabled: 1
 
 #. Run the command :option:`traffic_ctl config reload` to apply the configuration changes.
-

doc/release-notes/upgrading.en.rst

@@ -182,6 +182,16 @@ The following :file:`records.yaml` changes have been made:
   allocating iobuffers and cache volumes from hugepages if configured in the
   system.
 - The records.yaml entry ``proxy.config.plugin.compiler_path`` has been added to specify an optional compiler tool path for compiling plugins.
+- If OCSP stapling is enabled, ATS 10 and later fetch OCSP responses through
+  FetchSM instead of OpenSSL. Add the OCSP responder URL from the certificate
+  to :file:`remap.config`. For example, a certificate that uses
+  ``http://ocsp.digicert.com/`` needs the following mapping:
+
+  .. code-block:: none
+
+     map http://ocsp.digicert.com/ http://ocsp.digicert.com/
+
+  See :ref:`admin-ocsp-stapling` for more details.
 
 The following changes have been made to the :file:`sni.yaml` file: