[doc][yba] Update add certificates docs.

docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/add-certificate-self.md

@@ -23,9 +23,8 @@ Instead of using YugabyteDB Anywhere-provided certificates, you can use your own
 
 ## Prerequisites
 
-The certificates must meet the following criteria:
+The certificate and private key must be in PEM format.
 
-- Be in the `.crt` format and the private key must be in the `.pem` format, with both of these artifacts available for upload.
 
 YugabyteDB Anywhere produces the node (leaf) certificates from the uploaded certificates and copies the certificate chain, leaf certificate, and private key to the nodes in the cluster.
 
@@ -47,6 +46,14 @@ openssl pkcs12 -in cert-archive.pfx -out key.pem -nocerts -nodes
 
 If the key is protected by a passphrase in the PKCS12 archive, you are prompted for the passphrase.
 
+### Generate self-signed certificates
+
+You can generate self-signed certificates using openssl as follows:
+
+```sh
+openssl req -newkey rsa:2048 -nodes -keyout yugabyte_private_key.pem -x509 -days 365 -out yugabyte_cert.pem
+```
+
 ## Add self-signed certificates
 
 To add self-signed certificates to YugabyteDB Anywhere:
@@ -61,9 +68,9 @@ To add self-signed certificates to YugabyteDB Anywhere:
 
 1. In the **Certificate Name** field, enter a meaningful name for your certificate.
 
-1. Click **Upload Root Certificate**, then browse to the root certificate file (`<file-name>.crt`) and upload it.
+1. Click **Upload Root Certificate**, then browse to the root certificate file and upload it.
 
-1. Click **Upload Key**, then browse to the root certificate file (`<file-name>.key`) and upload it.
+1. Click **Upload Key**, then browse to the private key and upload it.
 
 1. In the **Expiration Date** field, specify the expiration date of the root certificate. To find this information, execute the `openssl x509 -in <root-crt-file-path> -text -noout` command and note the **Validity Not After** date.
 

docs/content/preview/yugabyte-platform/security/enable-encryption-in-transit/rotate-certificates.md

@@ -12,46 +12,87 @@ menu:
 type: docs
 ---
 
-You can rotate certificates for universes configured with the same type of certificates. This involves replacing existing certificates with new database node certificates.
-
-Before rotating certificates, ensure that you have added the certificates to YugabyteDB Anywhere. Refer to [Add certificates](../add-certificate-self/).
+Before rotating certificates, ensure that you have added the new certificates to YugabyteDB Anywhere. Refer to [Add certificates](../add-certificate-self/).
 
 Rotating the CA certificate on the source universe with xCluster Replication causes replication to pause. You should [restart replication](../../../manage-deployments/xcluster-replication/xcluster-replication-setup/#restart-replication) after completing the CA certificate rotation on the source universe.
 
-**Client-to-node certificates**
+## Enable or disable encryption in transit
 
-Regardless of whether the client-to-node certificates are expired or not expired, you can always trigger a rolling upgrade to rotate the certificates.
+You can enable or disable:
 
-- If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime.
-- If the universe was created after v2.16.6, then the rotation can be done without a restart and no downtime.
+- encryption in transit for the universe
+- node-to-node encryption in transit
+- client-to-node encryption in transit
 
-**Node-to-node certificates**
+This requires a simultaneous restart of all nodes, resulting in some downtime.
+
+To enable or disable encryption in transit:
+
+1. Navigate to your universe.
+
+1. Click **Actions > More > Edit Security > Encryption in-Transit** to open the **Manage encryption in transit** dialog.
+
+    ![Rotate certificates](/images/yp/encryption-in-transit/rotate-cert.png)
+
+1. Set the **Enable encryption in transit for this Universe** option.
 
-If the certificate has expired, the rotation requires a simultaneous restart of all nodes, resulting in some downtime.
+1. On the **Certificate Authority** tab, set the **Enable Node to Node Encryption** and **Enable Client to Node Encryption** options.
 
-If the certificate has not expired, the rotation can be done using a rolling upgrade.
+1. If you are enabling node-to-node or client-to-node encryption, select the root certificate to use, or leave the **Select root certificate** field empty to have YugabyteDB Anywhere generate a self-signed certificate.
 
-- If the universe was created before v2.16.6, then the rotation requires a restart, which can be done in a rolling manner with no downtime.
-- If the universe is created after v2.16.6, then the rotation can be done without a restart and no downtime.
+1. Click **Apply**.
 
-You can always opt to not perform rolling updates to update all nodes at the same time, but this will result in downtime.
+YugabyteDB Anywhere restarts the universe.
 
 ## Rotate certificates
 
-To modify encryption in transit settings and rotate certificates for a universe, do the following:
+**Node-to-node certificates**
+
+If your node-to-node root certificate has expired, rotation requires a simultaneous restart of all nodes, resulting in some downtime.
+
+If the certificate has not expired:
+
+- If the universe was created using YugabyteDB Anywhere v2.16.5 and earlier, then the rotation requires a restart, which can be done in a rolling manner with no downtime. You can opt to not perform a rolling update to update all nodes at the same time, but this will result in downtime.
+- If the universe was created using YugabyteDB Anywhere v2.16.6 or later, then the rotation is done without a restart and no downtime.
+
+**Client-to-node certificates**
+
+If the universe was created using YugabyteDB Anywhere v2.16.5 and earlier, then the rotation requires a restart, which can be done in a rolling manner with no downtime, regardless of whether the client-to-node certificates are expired or not expired.
+
+If the universe was created using YugabyteDB Anywhere v2.16.6 or later, then the rotation is done without a restart and no downtime.
+
+If you change your client-to-node root certificate, be sure to update your clients and applications to use the new certificate.
+
+### Rotate server certificates
+
+To rotate server (node) certificates for a universe, do the following:
 
 1. Navigate to your universe.
 
-1. Click **Actions > Edit Security > Encryption in-Transit** to open the **Manage encryption in transit** dialog.
+1. Click **Actions > More > Edit Security > Encryption in-Transit** to open the **Manage encryption in transit** dialog.
 
-    ![Rotate certificates](/images/yp/encryption-in-transit/rotate-cert.png)
+1. On the **Server Certificate** tab, select the **Rotate Node-to-Node Server Certificate** and **Rotate Client-to-Node Server Certificate** options as appropriate.
+
+1. If the universe was created using YugabyteDB Anywhere v2.16.5 and earlier, select the **Use rolling upgrade to apply this change** option to perform the upgrade in a rolling update (recommended) and enter the number of seconds to wait between node upgrades. Otherwise, deselect this option to perform a hot certificate reload with no downtime.
+
+1. Click **Apply**.
+
+### Rotate root certificates
+
+To rotate root certificates for a universe, do the following:
+
+1. Navigate to your universe.
+
+1. Click **Actions > More > Edit Security > Encryption in-Transit** to open the **Manage encryption in transit** dialog.
+
+1. On the **Certificate Authority** tab, select the new root certificate(s).
 
-1. To rotate the CA certificate, on the **Certificate Authority** tab, select the new CA certificate(s).
+    If your certificate is not listed, ensure you have [added the certificate](../add-certificate-ca/) to YugabyteDB Anywhere.
 
-    If you wish to have YBA generate a new self-signed CA certificate [automatically](../auto-certificate/), delete the root certificate field.
+    To have YBA generate a new self-signed CA certificate [automatically](../auto-certificate/), clear the root certificate field.
 
-1. To rotate the server certificates, on the **Server Certificate** tab, select the **Rotate Node-to-Node Server Certificate** and **Rotate Client-to-Node Server Certificate** options as appropriate.
+    Note that when you rotate the root certificate, the server certificates are automatically rotated.
 
-1. Select the **Use rolling upgrade to apply this change** option to perform the upgrade in a rolling update (recommended) and enter the number of seconds to wait between node upgrades.
+1. If the universe was created using YugabyteDB Anywhere v2.16.5 and earlier, select the **Use rolling upgrade to apply this change** option to perform the upgrade in a rolling update (recommended) and enter the number of seconds to wait between node upgrades. Otherwise, deselect this option to perform a hot certificate reload with no downtime.
 
 1. Click **Apply**.