Approving CSRs are two step process

modules/installation-approve-csrs.adoc

@@ -31,7 +31,7 @@ endif::[]
 [id="installation-approve-csrs_{context}"]
 = Approving the certificate signing requests for your machines
 
-When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself.
+When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.
 
 .Prerequisites
 
@@ -64,7 +64,7 @@ The output lists all of the machines that you created.
 The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved.
 ====
 
-. Review the pending CSRs and ensure that you see a client and server request with the `Pending` or `Approved` status for each machine that you added to the cluster:
+. Review the pending CSRs and ensure that you see the client requests with the `Pending` or `Approved` status for each machine that you added to the cluster:
 +
 ifndef::ibm-z,ibm-z-kvm[]
 [source,terminal]
@@ -76,17 +76,12 @@ $ oc get csr
 [source,terminal]
 ----
 NAME        AGE     REQUESTOR                                                                   CONDITION
-csr-8b2br   15m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending <1>
+csr-8b2br   15m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
 csr-8vnps   15m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
-csr-bfd72   5m26s   system:node:ip-10-0-50-126.us-east-2.compute.internal                       Pending <2>
-csr-c57lv   5m26s   system:node:ip-10-0-95-157.us-east-2.compute.internal                       Pending
 ...
 ----
-<1> A client request CSR.
-<2> A server request CSR.
 +
-In this example, two machines are joining the cluster. You might see more
-approved CSRs in the list.
+In this example, two machines are joining the cluster. You might see more approved CSRs in the list.
 endif::ibm-z,ibm-z-kvm[]
 ifdef::ibm-z,ibm-z-kvm[]
 [source,terminal]
@@ -135,6 +130,39 @@ $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}
 Some Operators might not become available until some CSRs are approved.
 ====
 
+. Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster:
++
+[source,terminal]
+----
+$ oc get csr
+----
++
+.Example output
+[source,terminal]
+----
+NAME        AGE     REQUESTOR                                                                   CONDITION
+csr-bfd72   5m26s   system:node:ip-10-0-50-126.us-east-2.compute.internal                       Pending
+csr-c57lv   5m26s   system:node:ip-10-0-95-157.us-east-2.compute.internal                       Pending
+...
+----
+
+. If the remaining CSRs are not approved, and are in the `Pending` status, approve the CSRs for your cluster machines:
+
+** To approve them individually, run the following command for each valid CSR:
++
+[source,terminal]
+----
+$ oc adm certificate approve <csr_name> <1>
+----
+<1> `<csr_name>` is the name of a CSR from the list of current CSRs.
+
+** To approve all pending CSRs, run the following command:
++
+[source,terminal]
+----
+$ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve
+----
+
 . After all client and server CSRs have been approved, the machines have the `Ready` status. Verify this by running the following command:
 +
 [source,terminal]