docs(mender-gateway): clarification regarding intermediate ca

[oldgiova]

The intermediate CA could stay at the client side, and it's a suggested approach for easy certificate rotation. This new section should clarify that.

External Contributor Checklist

🚨 Please review the guidelines for contributing to this repository.

• Make sure that all commits follow the conventional commit specification for the Mender project.

The majority of our contributions are fixes, which means your commit should have
the form below:

fix: <SHORT DESCRIPTION OF FIX>

<OPTIONAL LONGER DESCRIPTION>

Changelog: <USER-FRIENDLY-CHANGE-DESCRIPTION> or <None>
Ticket: <TICKET NUMBER> or <None>

• Make sure that all commits are signed with git --signoff. Also note that the signoff author must match the author of the commit.

Description

The intermediate CA could stay at the client side, and it's a suggested approach for easy certificate rotation. This new section should clarify that.

Thank you!

Co-authored-with: Claude

[oldgiova]

Test rendering:

[nt-alan]

AFAIC a table only makes it too complicated to practically digest and is crammed in the wrong section (section tries to solve too many things at once).

I would rather have it here:
https://docs.mender.io/server-integration/mender-gateway/mutual-tls-authentication
as a separate chapter on gateway cert rotations.

And instead of a table a working example.

[oldgiova]

AFAIC a table only makes it too complicated to practically digest and is crammed in the wrong section (section tries to solve too many things at once).

I would rather have it here: https://docs.mender.io/server-integration/mender-gateway/mutual-tls-authentication as a separate chapter on gateway cert rotations.

And instead of a table a working example.

Docs refactored

[nt-alan]

Suggested change

	You would rotate the intermediate CA if the old one is about to expire or if you have suspicions it was compromised. For the expiration case the old certificate will just stop being valid as some point it time, but for the compromised case you need to take explicit action.
	!! For case of a compromised certificate you will need to___ **do what?**

[oldgiova]

I think this is a good call for a dedicated section like: "how to deal with a compromised certiifcate"

[oldgiova]

Here's the follow up for this: 5045e35

[nt-alan]

Suggested change

	The gateway accepts both `device-chain.pem` (v1) and `device-v2-chain.pem` (v2) because both intermediate CAs chain up to the trusted Root CA. Decommission v1 devices at your own pace.
	The gateway accepts both `device-chain.pem` (v1) and `device-v2-chain.pem` (v2) because both intermediate CAs chain up to the trusted Root CA. Update the v1 certificates on the devices at your own pace.

Reads weird that you'd be decommission devices just for a cert change.

[nt-alan]

Thanks, much better readability.

Seems to be a difference between a "expiring intermediate certificate" and "revoking a intermediate certificate".
With the naive setup we had a rotation would solve the revoking part as well, but with this setup the revoked certificate needs some kind of dedicated blackilisting.
That step seems to be missing.

Once we solve that, I think we should just default to this kind of key generation for the default gateway evaluation instead having multiple different ways.

[oldgiova]

a rotation would solve the revoking part as well, but with this setup the revoked certificate needs some kind of dedicated blackilisting. That step seems to be missing.

Added to a dedicated section. However please note that to address a compromised cert it's not enough to just change the CA; most of the time you also have to replace the full root CA

[nt-alan]

@oldgiova
Will have to set aside some time to reread this, but afaic this all makes sense.

I want to set the intermediate CE setup as the default case for the mtls eval.
Don't see much value to have the root CE approach for eval and then a dedicated section that has intermediate CE.

Lets see how it goes, feel like we can share a cup of coffee to agree on the high level structure, so whoever ends up working on this first can send the coffee invite :)