docs: rewrite certificate validation page following doc guidelines

Author: RomuDeuxfois

docs/deployment/certificate-validation.md

@@ -1,59 +1,63 @@
 # Certificate validation
 
-This page explains how OpenAEV handles TLS/SSL certificate validation on the server side, and how administrators can enforce or relax certificate checks depending on their environment.
+OpenAEV enforces TLS/SSL certificate validation on the server side by default. This page explains how to configure certificate trust for outgoing and incoming connections.
 
-## Overview
+## What is this?
 
-By default, OpenAEV **enforces certificate validation** for all outgoing HTTPS connections (to injectors, collectors, external APIs, etc.). This means that the server will reject connections to endpoints presenting invalid, expired, or untrusted certificates.
+Certificate validation ensures that OpenAEV only communicates with trusted endpoints. When OpenAEV connects to injectors, collectors, or external APIs over HTTPS, it verifies that the remote certificate is valid, not expired, and issued by a trusted Certificate Authority (CA).
 
-OpenAEV provides several configuration options to control this behavior:
+## Why does it matter?
 
-- **Strict mode (default):** Only connections with valid, trusted certificates are allowed.
-- **Unsecured mode:** Self-signed or untrusted certificates are accepted (useful for development or air-gapped environments).
-- **Custom trust store:** Add your own CA or self-signed certificates to the trust chain without disabling validation entirely.
+- **Security** — Prevents man-in-the-middle (MITM) attacks on all outgoing connections.
+- **Compliance** — Many security frameworks require strict TLS validation in production.
+- **Flexibility** — OpenAEV supports custom trust stores, so you can trust internal CAs without disabling validation.
 
-## Configuration parameters
+## Outgoing connections (OpenAEV as client)
 
-### Enforce strict certificate validation (default)
+### Strict validation (default)
 
-By default, no additional configuration is needed. OpenAEV validates all TLS certificates against the JVM's default trust store (Java `cacerts`).
+By default, OpenAEV validates all outgoing TLS certificates against the JVM's default trust store (`cacerts`). No configuration is needed.
 
-To explicitly ensure strict validation is enforced, verify the following:
+| Parameter | Environment variable | Default | Description |
+|:--|:--|:--|:--|
+| `openaev.unsecured-certificate` | `OPENAEV_UNSECURED-CERTIFICATE` | `false` | Reject untrusted SSL certificates |
 
-| Parameter                     | Environment variable            | Value   | Description                                          |
-|:------------------------------|:--------------------------------|:--------|:-----------------------------------------------------|
-| openaev.unsecured-certificate | OPENAEV_UNSECURED-CERTIFICATE   | `false` | Reject self-signed or untrusted SSL certificates     |
+⚠️ **Warning** — Keep this set to `false` in production. Setting it to `true` disables certificate chain validation for **all** outgoing connections and exposes the platform to MITM attacks.
 
-!!! warning "Production recommendation"
+### Allow self-signed certificates (dev/test only)
 
-    In production environments, `openaev.unsecured-certificate` should **always** be set to `false` (the default). Enabling unsecured certificates bypasses critical security checks and exposes the platform to man-in-the-middle attacks.
+For development or air-gapped environments with self-signed certificates, disable strict validation:
 
-### Allow self-signed or untrusted certificates
-
-If your environment uses self-signed certificates (e.g., internal PKI, development setups, air-gapped networks), you can disable strict validation:
+```yaml
+services:
+  openaev:
+    image: openaev/platform:latest
+    environment:
+      - OPENAEV_UNSECURED-CERTIFICATE=true
+```
 
-| Parameter                     | Environment variable            | Value  | Description                                              |
-|:------------------------------|:--------------------------------|:-------|:---------------------------------------------------------|
-| openaev.unsecured-certificate | OPENAEV_UNSECURED-CERTIFICATE   | `true` | Accept self-signed or untrusted SSL certificates         |
+⚠️ **Warning** — Use this only in controlled, non-production environments.
 
-!!! danger "Security risk"
+### Add custom trusted certificates (recommended)
 
-    Setting `openaev.unsecured-certificate` to `true` disables certificate chain validation for **all** outgoing connections. This should only be used in controlled, non-production environments.
+Instead of disabling validation, add your internal CA or self-signed certificates to the OpenAEV trust store:
 
-### Add custom trusted certificates (recommended approach)
+| Parameter | Environment variable | Default | Description |
+|:--|:--|:--|:--|
+| `openaev.extra-trusted-certs-dir` | `OPENAEV_EXTRA-TRUSTED-CERTS-DIR` | — | Directory containing additional trusted PEM certificates |
 
-Instead of disabling validation entirely, you can add your own trusted certificates (e.g., internal CA, self-signed certs for third-party integrations like CrowdStrike, Tanium, SentinelOne) to the OpenAEV trust store:
+**Requirements:**
 
-| Parameter                       | Environment variable              | Default | Description                                                    |
-|:--------------------------------|:----------------------------------|:--------|:---------------------------------------------------------------|
-| openaev.extra-trusted-certs-dir | OPENAEV_EXTRA-TRUSTED-CERTS-DIR   |         | Local directory containing additional trusted PEM certificates |
+- Certificate files must be in **PEM format** (`.pem`) or **DER-encoded X.509** format.
+- The directory must be readable by the OpenAEV process.
 
-**Requirements:**
+### Example
 
-- Certificate files must be in **PEM-armoured format** (`.pem` extension) or **DER-encoded X509** format.
-- The directory must be accessible by the OpenAEV process.
+You have an internal CA that signs certificates for your CrowdStrike and Tanium integrations.
 
-**Example with Docker Compose:**
+1. Export your internal CA certificate as `internal-ca.pem`.
+2. Place it in a `./my-custom-certs/` directory on the host.
+3. Mount it into the container:
 
 ```yaml
 services:
@@ -65,25 +69,23 @@ services:
       - ./my-custom-certs:/opt/openaev/certs:ro
 ```
 
-Place your `.pem` certificate files in the `./my-custom-certs` directory on the host.
-
-!!! tip "Best practice"
+OpenAEV now trusts your internal CA **while keeping strict validation** for everything else.
 
-    Using `openaev.extra-trusted-certs-dir` is the **recommended approach** for environments with internal CAs or self-signed certificates. It allows you to maintain strict certificate validation while trusting specific certificates.
+💡 **Tip** — This is the recommended approach for production environments with internal PKI.
 
-## Server-side SSL/TLS (incoming connections)
+## Incoming connections (TLS termination)
 
-OpenAEV can also terminate TLS directly (without a reverse proxy) using the built-in Spring Boot SSL support:
+OpenAEV can terminate TLS directly using Spring Boot's built-in SSL support, without a reverse proxy.
 
-| Parameter                    | Environment variable         | Default value         | Description              |
-|:-----------------------------|:-----------------------------|:----------------------|:-------------------------|
-| server.ssl.enabled           | SERVER_SSL_ENABLED           | `false`               | Enable SSL on the server |
-| server.ssl.key-store-type    | SERVER_SSL_KEY-STORE-TYPE    | PKCS12                | Keystore type            |
-| server.ssl.key-store         | SERVER_SSL_KEY-STORE         | classpath:localhost.p12 | Keystore path          |
-| server.ssl.key-store-password| SERVER_SSL_KEY-STORE-PASSWORD| admin                 | Keystore password        |
-| server.ssl.key-alias         | SERVER_SSL_KEY-ALIAS         | localhost             | Key alias in keystore    |
+| Parameter | Environment variable | Default | Description |
+|:--|:--|:--|:--|
+| `server.ssl.enabled` | `SERVER_SSL_ENABLED` | `false` | Enable SSL on the server |
+| `server.ssl.key-store-type` | `SERVER_SSL_KEY-STORE-TYPE` | `PKCS12` | Keystore type |
+| `server.ssl.key-store` | `SERVER_SSL_KEY-STORE` | `classpath:localhost.p12` | Keystore path |
+| `server.ssl.key-store-password` | `SERVER_SSL_KEY-STORE-PASSWORD` | `admin` | Keystore password |
+| `server.ssl.key-alias` | `SERVER_SSL_KEY-ALIAS` | `localhost` | Key alias in keystore |
 
-**Example configuration:**
+### Example
 
 ```yaml
 services:
@@ -100,26 +102,29 @@ services:
       - ./keystore.p12:/opt/openaev/keystore.p12:ro
 ```
 
-!!! note "Reverse proxy"
-
-    Most production deployments terminate TLS at a reverse proxy (Nginx, Traefik, HAProxy) rather than on the OpenAEV server itself. In that case, leave `server.ssl.enabled` as `false` and configure TLS on your reverse proxy. Make sure to set `openaev.cookie-secure=true` if the end-user connection is over HTTPS.
+💡 **Tip** — Most production deployments terminate TLS at a reverse proxy (Nginx, Traefik, HAProxy). In that case, leave `server.ssl.enabled=false` and set `openaev.cookie-secure=true` if end-users connect over HTTPS.
 
 ## Proxy support
 
 If OpenAEV connects to external services through a proxy, enable proxy support:
 
-| Parameter            | Environment variable   | Default | Description                      |
-|:---------------------|:-----------------------|:--------|:---------------------------------|
-| openaev.with-proxy   | OPENAEV_WITH-PROXY     | `false` | Enable proxy environment support |
+| Parameter | Environment variable | Default | Description |
+|:--|:--|:--|:--|
+| `openaev.with-proxy` | `OPENAEV_WITH-PROXY` | `false` | Enable proxy environment support |
 
 When enabled, OpenAEV respects the standard `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables.
 
-## Summary: which option to choose?
+## Quick reference
+
+| Scenario | Configuration |
+|:--|:--|
+| Production with public CA-signed certificates | Default (no changes needed) |
+| Internal CA or self-signed certs for integrations | `openaev.extra-trusted-certs-dir` → your PEM directory |
+| Development / testing | `openaev.unsecured-certificate=true` (temporary only) |
+| TLS termination on OpenAEV | `server.ssl.enabled=true` + keystore config |
+| TLS termination on reverse proxy | `server.ssl.enabled=false` + `openaev.cookie-secure=true` |
+
+## What's next?
 
-| Scenario                                          | Recommended configuration                                                        |
-|:--------------------------------------------------|:---------------------------------------------------------------------------------|
-| Production with public CA-signed certificates     | Default settings (no changes needed)                                             |
-| Internal CA or self-signed certs for integrations | `openaev.extra-trusted-certs-dir` pointing to your PEM certificates directory    |
-| Development / testing environment                 | `openaev.unsecured-certificate=true` (temporary only)                            |
-| TLS termination on OpenAEV server                 | `server.ssl.enabled=true` + keystore configuration                               |
-| TLS termination on reverse proxy                  | `server.ssl.enabled=false` + `openaev.cookie-secure=true`                        |
+- [Configuration reference](../configuration.md) — Full list of OpenAEV platform parameters.
+- [Deployment overview](../overview.md) — Architecture and deployment options.