cert management: document pem bundle usage

Add a note to provide more detail about the require contents of
the 'pem' and 'root-ca' action parameters when uploading the
signed certificate for the Vault intermediate CA.

If external intermediate CA's are in use these must be provided
as part of the pem bundle for each parameter to ensure that a
full trust chain can be established.

Change-Id: I07f5da9ede2f29706505f9cd453438dde800c5b8
Closes-Bug: 1876192

deploy-guide/source/app-certificate-management.rst

@@ -100,6 +100,21 @@ Upload signed CSR and root CA cert to vault
         root-ca="$(cat /tmp/root-ca.pem | base64)" \
         allowed-domains='openstack.local'
 
+.. note::
+
+    The certificates provided via the 'pem' parameter must be a PEM bundle
+    containing the signed certificate, any intermediate CA certs external
+    to Vault and the root CA cert.  Without this information Vault cannot
+    verify the trust chain and will reject the provided certificate - see
+    `RFC5280`_ for more details about certificate paths and trust.
+
+    If external intermediate CAs are in use the root-ca PEM must also
+    be a PEM bundle including certs for all intermediate CAs and the root
+    CA.
+
+    For more details about the format of certificate PEM bundles see
+    `RFC7468`_.
+
 Vault issues certificates
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -144,3 +159,7 @@ must be run on the lead unit.
 .. code:: bash
 
    juju run-action vault/0 reissue-certificates
+
+.. LINKS
+.. _RFC5280: https://tools.ietf.org/html/rfc5280#section-3.2
+.. _RFC7468: https://tools.ietf.org/html/rfc7468#section-5