Docs: Try to improve the docs about custom CAs

documentation/book/proc-installing-your-own-ca-certificates.adoc

@@ -10,12 +10,17 @@ This procedure describes how to install your own CA certificates and private key
 .Prerequisites
 
 * The Cluster Operator is running.
-* A `Kafka` resource within {ProductPlatformName}
-* Your own X.509 certificates and keys in PEM format for the cluster CA or clients CA. For example, these could be generated by `openssl`, using a command such as:
+* A Kafka cluster is not yet deployed
+* Your own X.509 certificates and keys in PEM format for the cluster CA or clients CA.
 +
-[source,shell,subs="+quotes"]
-openssl req -x509 -new -days _<validity>_ --nodes -out ca.crt -keyout ca.key
-
+** If you want to use cluster or clients CA which is not a Root CA, you have to include the whole chain in the certificate file.
+The chain should be in the following order:
++
+1. The cluster or clients CA
+2. One or more intermediate CAs
+3. The root CA
++
+** All CAs in the chain should be configured as a CA in the X509v3 Basic Constraints.
 
 .Procedure
 
@@ -29,11 +34,7 @@ On {KubernetesName}, run the following commands:
 # Delete any existing secret (ignore "Not Exists" errors)
 kubectl delete secret _<ca-cert-secret>_
 # Create and label the new one
-kubectl create secret generic _<ca-cert-secret>_ \
-  --from-file=ca.crt=_<ca-cert-file>_ \
-  && kubectl label secret _<ca-cert-secret>_ \
-  strimzi.io/kind=Kafka \
-  strimzi.io/cluster=_<my-cluster>_
+kubectl create secret generic _<ca-cert-secret>_ --from-file=ca.crt=_<ca-cert-file>_
 ----
 endif::Kubernetes[]
 +
@@ -44,11 +45,7 @@ On {OpenShiftName}, run the following commands:
 # Delete any existing secret (ignore "Not Exists" errors)
 oc delete secret _<ca-cert-secret>_
 # Create the new one
-oc create secret generic _<ca-cert-secret>_ \
-  --from-file=ca.crt=_<ca-cert-file>_ \
-  && oc label secret _<ca-cert-secret>_ \
-  strimzi.io/kind=Kafka \
-  strimzi.io/cluster=_<my-cluster>_
+oc create secret generic _<ca-cert-secret>_ --from-file=ca.crt=_<ca-cert-file>_
 ----
 
 . Put your CA key in the corresponding `Secret` (`_<cluster>_-cluster-ca` for the cluster CA or `_<cluster>_-clients-ca` for the clients CA)
@@ -61,11 +58,7 @@ On {KubernetesName}, run the following commands:
 # Delete the existing secret
 kubectl delete secret _<ca-key-secret>_
 # Create the new one
-kubectl create secret generic _<ca-key-secret>_ \
-  --from-file=ca.key=_<ca-key-file>_ \\
-  && kubectl label secret _<ca-key-secret>_ \
-  strimzi.io/kind=Kafka \
-  strimzi.io/cluster=_<my-cluster>_
+kubectl create secret generic _<ca-key-secret>_ --from-file=ca.key=_<ca-key-file>_
 ----
 endif::Kubernetes[]
 +
@@ -76,11 +69,27 @@ On {OpenShiftName}, run the following commands:
 # Delete the existing secret
 oc delete secret _<ca-key-secret>_
 # Create the new one
-oc create secret generic _<ca-key-secret>_ \
-  --from-file=ca.key=_<ca-key-file>_ \
-  && oc label secret _<ca-key-secret>_ \
-  strimzi.io/kind=Kafka \
-  strimzi.io/cluster=_<my-cluster>_
+oc create secret generic _<ca-key-secret>_ --from-file=ca.key=_<ca-key-file>_
+----
+
+. Label both `Secrets` with labels `strimzi.io/kind=Kafka` and `strimzi.io/cluster=_<my-cluster>_`:
+ifdef::Kubernetes[]
++
+On {KubernetesName}, run the following commands:
++
+[source,shell,subs="+quotes"]
+----
+kubectl label secret _<ca-cert-secret>_ strimzi.io/kind=Kafka strimzi.io/cluster=_<my-cluster>_
+kubectl label secret _<ca-key-secret>_ strimzi.io/kind=Kafka strimzi.io/cluster=_<my-cluster>_
+----
+endif::Kubernetes[]
++
+On {OpenShiftName}, run the following commands:
++
+[source,shell,subs="+quotes"]
+----
+oc label secret _<ca-cert-secret>_ strimzi.io/kind=Kafka strimzi.io/cluster=_<my-cluster>_
+oc label secret _<ca-key-secret>_ strimzi.io/kind=Kafka strimzi.io/cluster=_<my-cluster>_
 ----
 
 . Create the `Kafka` resource for your cluster, configuring either the `Kafka.spec.clusterCa` or the `Kafka.spec.clientsCa` object to _not_ use generated CAs: