update ova installation guide

docs/installation_guide_ova.md

@@ -16,7 +16,10 @@ By default, Harbor stores user information in an internal database. Harbor can a
 
 ### Security 
 
-By default, Harbor uses HTTPS for secure communication. A self-signed certificate is generated at first boot. A Docker client or a VCH (Virtual Container Host) needs to trust the certificate of Harbor's CA in order to interact with Harbor. 
+By default, Harbor uses HTTPS for secure communication. A self-signed certificate is generated at first boot based on its FQDN or IP address. A Docker client or a VCH (Virtual Container Host) needs to trust the certificate of Harbor's CA in order to interact with Harbor. 
+Harbor always tries to generate a self-signed certificate based on its FQDN. Therefore, its IP address must have a FQDN associated with it in the DNS server. If Harbor cannot resolve its IP address to a FQDN, it generates the self-signed certificate using its IP address. In this case, Harbor can only be accessed by IP address.
+
+If Harbor's IP address or FQDN is changed, the self-signed certificate will be re-generated. However, since the certificate of Harbor's own CA does not change, no certificate update is needed at the Docker client or VCH.  
 
 The self-generated certificate can be replaced by supplying a certificate signed by other CAs in OVA's settings. 
 
@@ -26,6 +29,8 @@ Harbor can be configured to use plain HTTP for some environments such as testing
 
 Harbor can obtain IP address by DHCP. This is convenient for testing purpose. For a production system, it is recommended that static IP address and host name be used.
 
+For the purpose of generating a self-signed certificate, it is recommended that a DNS record be added to associate Harbor's IP address with a FQDN. This is necessary for both static IP address and dynamic IP address acquired from DHCP. If a DNS record is missing for Harbor's IP address, Harbor can only be accessed by its IP address.
+
 
 ## Installation
 1. Download the OVA file to your local disk from the **[official release page](https://github.com/vmware/harbor/releases)**.  
@@ -123,7 +128,7 @@ Harbor can obtain IP address by DHCP. This is convenient for testing purpose. Fo
 
 ## Getting Certificate of Harbor's CA
 
-By default, Harbor uses a self-signed certificate in HTTPS. A Docker client or a VCH needs to trust Harbor's CA certificate in order to interact with Harbor. 
+By default, Harbor uses a self-signed certificate in HTTPS. A Docker client or a VCH needs to trust the certificate of Harbor's CA in order to interact with Harbor. 
 To download the certificate of Harbor's CA and import into a Docker client, follow the below steps:
 
 1. Log in Harbor's UI as an admin user.
@@ -132,12 +137,14 @@ To download the certificate of Harbor's CA and import into a Docker client, foll
  
  ![ova](img/ova/downloadcert.png)
  
-4. Copy the certificate file to a Docker host, put it under the below directory. Replace **host_name_or_IP_of_Harbor** with the actual host name or IP address of Harbor instance. You may need to create the directory if it does not exist:
+4. Copy the certificate file to a Docker host and put it under the below directory. Replace **FQDN_or_IP_of_Harbor** with the actual FQDN or IP address of Harbor instance. You may need to create the directory if it does not exist:
    ```
-      /etc/docker/certs.d/host_name_or_IP_of_Harbor/ca.crt
+      /etc/docker/certs.d/FQDN_or_IP_of_Harbor/ca.crt
    ```
+   **Note:** If FQDN is used in the above directory, Harbor can be accessed by FQDN. Otherwise, Harbor should be accessed via IP address. 
+   
 5. Restart Docker service.
-6. Run `docker login` to verify that HTTPS is working.
+6. Run `docker login` command to verify that HTTPS is working.
 
 To import the CA's certificate into VCH, complete Step 1-3 and refer to VCH's document for instructions.