Fix: clarify managed v. deployed certs

[mjang]

Proposed changes

Closes #256

Checklist

Before merging a pull request, run through this checklist and mark each as complete.

• I have read the contributing guidelines
• I have signed the F5 Contributor License Agreement (CLA)
• I have rebased my branch onto main
• I have ensured my PR is targeting the main branch and pulling from my branch from my own fork
• I have ensured that the commit messages adhere to Conventional Commits
• I have ensured that documentation content adheres to the style guide
• If the change involves potentially sensitive changes¹, I have assessed the possible impact
• If applicable, I have added tests that prove my fix is effective or that my feature works
• I have ensured that existing tests pass after adding my changes
• If applicable, I have updated README.md and CHANGELOG.md

Footnotes

1. Potentially sensitive changes include anything involving code, personally identify information (PII), live URLs or significant amounts of new or revised documentation. Please refer to our style guide for guidance about placeholder content. ↩

[github-actions]

✅ Deploy Preview will be available once build job completes!

Name	Link
😎 Deploy Preview	https://frontdoor-test-docs.nginx.com/previews/docs/291/

---

[mjang]

@sylwang I hope this is more clear! (based on #256 )

[sylwang]

Suggested change

You can remove a managed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s).

From the configuration editor where you normally modify NGINX configuration files of an independent instance or Config Sync Group, you can click on the "delete" icon of a managed certificate object that was previously deployed to the instance or Config Sync Group. You should be able to see the file paths where it was deployed to. Deleting the managed certificate from the NGINX configuration editor will remove the certificate files from those file paths. If the certificate object is a certificate-key pair, and the private key was deployed, you could optionally choose to delete the deployed key from the independent instance or Config Sync Group, by clicking on the "delete" icon next to the private key file.

Here is a rough summary of what users could do. Feel free to change the wording and improve this paragraph further! : )

[mjang]

Suggested change

	You can remove a managed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s).
	You can delete managed certificates in the following ways:
	- Navigate to [View and edit NGINX configurations]({{< relref "/nginx-one/how-to/nginx-configs/view-edit-nginx-configurations/" >}})
	- You can then delete the certificate from the Instance of your choice.
	- Navigate to [Manage Config Sync Groups]({{< relref "/nginx-one/how-to/config-sync-groups/manage-config-sync-groups" >}})
	- You can then delete the certificate from the Config Sync Group of your choice.
	- Review the list of existing certificates
	- From the **Actions** menu, you can then delete that certificate

[sylwang]

• Review the list of existing certificates
  • From the Actions menu, you can then delete that certificate

This would be incorrect. The "Actions" menu is from the cert management page, where users can choose to delete a certificate object from N1 Console. However, the contexts here are that users can remove a deployed certificate file from an instance or a CSG. If users want to remove a cert deployment from a specific instance or CSG, they should only be able to do that through the config editor (where users edit NGINX configuration for an instance or a CSG). It would also be helpful to clarify that when users click on the delete icon from the config editor, they would delete the deployed certificate or key file from specific file paths.

• Navigate to [Manage Config Sync Groups]({{< relref "/nginx-one/how-to/config-sync-groups/manage-config-sync-groups" >}})
  • You can then delete the certificate from the Config Sync Group of your choice.

https://frontdoor-test-docs.nginx.com/previews/docs/291/nginx-one/how-to/nginx-configs/manage-config-sync-groups/
In addition, I wasn't able to find any instructions on how users could delete the certificate from a Config Sync Group in this page, so this could be confusing to the reader.

I'm thinking that deleting a certificate file is a special case for deleting an aux file. Since we have a page that documents how to add a file, should we also add a new page that documents how to remove a file? That might be easier in comparison to trying to fit all the details into a small section in the cert management doc.
https://frontdoor-test-docs.nginx.com/previews/docs/291/nginx-one/how-to/nginx-configs/add-file/
https://frontdoor-test-docs.nginx.com/previews/docs/291/nginx-one/how-to/config-sync-groups/add-file-csg/

[mjang]

I'm realizing that our coverage of "Edit Configuration" for instances and CSGs are haphazard. I'm going to address @sylwang 's comments, and later, address #427 to "unify" the messaging.

[mjang]

@sylwang see: https://github.com/nginx/documentation/pull/291/files#diff-2445ce44d5814d8ceb795a09fa3672417a9d86c176326cf9ecbc3036b8fc5702R170-R178

[sylwang]

Suggested change

	Every Instance with a certificate includes paths to certificates in their configuration files. If you remove one certificate, that change is limited to that one Instance.
	For a managed certificate that was deployed from the console to your data plane instance, you might have chosen to reference the certificate in the NGINX configuration file, using the file paths specified in the certificate deployment. You can choose to remove those certificate references from the NGINX configuration file through the console. This will not affect the deployed certificate on your data plane instance. The certificate and private key files if deployed, will remain on the data plane instance.
	If you would like to delete those certificate and private key files from your data plane, follow the instructions above and click on the "delete" icon next to those files in the NGINX configuration editor.

[sylwang]

Hi @mjang, just checking in, what are your thoughts on this part of the doc?

[mjang]

I'd like to avoid references to "Data Plane", as we'll soon incorporate NGF data planes in N1C.

In any case, I think this is superseded by https://github.com/nginx/documentation/pull/291/files#diff-2445ce44d5814d8ceb795a09fa3672417a9d86c176326cf9ecbc3036b8fc5702R170-R178