Fix: clarify managed v. deployed certs

[mjang]

Proposed changes

Closes #256

Checklist

Before merging a pull request, run through this checklist and mark each as complete.

• I have read the contributing guidelines
• I have signed the F5 Contributor License Agreement (CLA)
• I have rebased my branch onto main
• I have ensured my PR is targeting the main branch and pulling from my branch from my own fork
• I have ensured that the commit messages adhere to Conventional Commits
• I have ensured that documentation content adheres to the style guide
• If the change involves potentially sensitive changes¹, I have assessed the possible impact
• If applicable, I have added tests that prove my fix is effective or that my feature works
• I have ensured that existing tests pass after adding my changes
• If applicable, I have updated README.md and CHANGELOG.md

Footnotes

1. Potentially sensitive changes include anything involving code, personally identify information (PII), live URLs or significant amounts of new or revised documentation. Please refer to our style guide for guidance about placeholder content. ↩

[github-actions]

✅ Deploy Preview will be available once build job completes!

Name	Link
😎 Deploy Preview	https://frontdoor-test-docs.nginx.com/previews/docs/291/

---

[mjang]

@sylwang I hope this is more clear! (based on #256 )

[sylwang]

Removing a managed certificate from an instance or CSG will also remove the certificate files (and key files, for a cert-key pair) from the data plane instances.

[sylwang]

This is not true. Deploying a managed certificate under specified file paths down to a data plane is one action users could do. Referencing and using those deployed file paths in the NGINX configuration files is a separate action.

It is possible that users choose to deploy a managed certificate under specified file paths from the console, but they decided not to use them in the NGINX configuration files. They could also choose to reference those certificates in the NGINX configuration files later.

[sylwang]

If you remove one certificate, that change is limited to that one Instance.

Suggest adding more contexts here, or leave out this sentence. I'm not sure it would be necessary to mention this. From my perspective, users could have interpreted this message differently - for example, for a certificate that was deployed to multiple instances, any change to that certificate object itself would impact all the instances where it was deployed to.

My understanding is that this message tries to clarify what would happen if users make changes to cert references used in NGINX configuration files. In general, the common sense is that any change to NGINX configuration files for a specific NGINX instance would only affect that instance, so this would be another reason that this message is trivial and could lead to additional confusion.

[sylwang]

Suggested change

	Every Config Sync Group also includes paths toi _managed_ certificates in its configuration files. If you remove a managed certificate to a Config Sync Group, that change affects all Instances which belong to that Config Sync Group.
	Every Config Sync Group also includes paths to managed certificates in its configuration files. If you remove a managed certificate to a Config Sync Group, that change affects all Instances which belong to that Config Sync Group.

[sylwang]

To clearly distinguish from the section "Delete a managed certificate" below, I'd recommend keeping the terminology "deployed" in the title.

Suggested change

	## Remove a managed certificate
	## Delete a deployed certificate

From the config editor in the UI, users have an option "delete" to delete a deployed certificate from an instance or CSG. In the UI, we also use the term "cert deployment" in a few places. It would be good to stay consistent : )

[sylwang]

Suggested change

You can remove a managed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s).

From the configuration editor where you normally modify NGINX configuration files of an independent instance or Config Sync Group, you can click on the "delete" icon of a managed certificate object that was previously deployed to the instance or Config Sync Group. You should be able to see the file paths where it was deployed to. Deleting the managed certificate from the NGINX configuration editor will remove the certificate files from those file paths. If the certificate object is a certificate-key pair, and the private key was deployed, you could optionally choose to delete the deployed key from the independent instance or Config Sync Group, by clicking on the "delete" icon next to the private key file.

Here is a rough summary of what users could do. Feel free to change the wording and improve this paragraph further! : )

[sylwang]

Suggested change

	Every Instance with a certificate includes paths to certificates in their configuration files. If you remove one certificate, that change is limited to that one Instance.
	For a managed certificate that was deployed from the console to your data plane instance, you might have chosen to reference the certificate in the NGINX configuration file, using the file paths specified in the certificate deployment. You can choose to remove those certificate references from the NGINX configuration file through the console. This will not affect the deployed certificate on your data plane instance. The certificate and private key files if deployed, will remain on the data plane instance.
	If you would like to delete those certificate and private key files from your data plane, follow the instructions above and click on the "delete" icon next to those files in the NGINX configuration editor.