further progress on docs

docs/docs.json

@@ -736,6 +736,16 @@
                       "documentation/platform/pki/certificates/certificates"
                     ]
                   },
+                  {
+                    "group": "Enrollment Methods",
+                    "pages": [
+                      "documentation/platform/pki/enrollment-methods/overview",
+                      "documentation/platform/pki/enrollment-methods/api",
+                      "documentation/platform/pki/enrollment-methods/est",
+                      "documentation/platform/pki/enrollment-methods/acme",
+                      "documentation/platform/pki/enrollment-methods/scep"
+                    ]
+                  },
                   "documentation/platform/pki/subscribers",
                   "documentation/platform/pki/certificates",
                   "documentation/platform/pki/est",

docs/documentation/platform/pki/certificates/certificates.mdx

@@ -2,3 +2,10 @@
 title: "Certificates"
 sidebarTitle: "Certificates"
 ---
+
+## Concept
+
+A certificate is the actual X.509 certificate issued for a certificate profile.
+
+Once issued, a certificate is kept track of in the certificate inventory
+where you can manage various aspects of its lifecycle including deployment to cloud key stores, server-side auto-renewal behavior, revocation, and more.

docs/documentation/platform/pki/certificates/overview.mdx

@@ -3,12 +3,12 @@ title: "Overview"
 sidebarTitle: "Overview"
 ---
 
-To issue a certificate with Infisical, you'll need to create a certificate profile and a certificate template to go along with it.
+To issue a certificate with Infisical, you create a certificate profile and a certificate template to go along with it. You then issue a certificate by making a request against that specific profile.
 
 There are three components to understand:
 
-- [Certificate Profile](/documentation/platform/pki/certificates/profiles): A configuration set specifying how certificates should be issued under that profile including the [issuing CA](/documentation/platform/pki/ca/overview), a certificate template, and the enrollment method (such as ACME, EST, API, etc.) used to enroll certificates. When requesting a certificate, you issue it against a specific profile.
+- [Certificate Profile](/documentation/platform/pki/certificates/profiles): A configuration set specifying how certificates should be issued under that profile including the [issuing CA](/documentation/platform/pki/ca/overview), a certificate template, and the enrollment method (such as ACME, EST, API, etc.) used to enroll certificates.
 
-- [Certificate Template](/documentation/platform/pki/certificates/templates): A policy specifying the structure and permitted attributes of a certificate, such as subject naming conventions, SAN fields, key usages, and extended key usages.
+- [Certificate Template](/documentation/platform/pki/certificates/templates): A policy structure specifying the permitted attributes for requested certificates including subject naming conventions, SAN fields, key usages, and extended key usages.
 
 - [Certificate](/documentation/platform/pki/certificates/certificate): The actual X.509 certificate issued for a profile. Once issued, a certificate kept track of in the certificate inventory.

docs/documentation/platform/pki/certificates/profiles.mdx

@@ -2,3 +2,25 @@
 title: "Certificate Profiles"
 sidebarTitle: "Profiles"
 ---
+
+## Concept
+
+A certificate profile is a configuration set specifying how leaf certificates should be issued for a group of end-entities including the [issuing CA](/documentation/platform/pki/ca/overview), a [certificate template](/documentation/platform/pki/certificates/templates), and the enrollment method (e.g. ACME, EST, API, etc.) used to enroll certificates.
+
+You typically request certificates against a certificate profile through its associated enrollment method. Each method defines its own interaction flow which you can read more about in its respective documentation.
+
+## Guide to Creating a Certificate Profile
+
+To create a certificate profile, head to your Certificate Management Project > Certificates > Certificate Profiles and press **Create Profile**.
+
+TODO: image
+
+Here's some guidance on each field:
+
+- Name: A slug-friendly name for the profile such as `web-servers`.
+- Description: An optional description for the profile.
+- Issuing CA: The [issuing CA](/documentation/platform/pki/ca/overview) that should be used to issue certificates for the profile.
+- Certificate Template: The [certificate template](/documentation/platform/pki/certificates/templates) that should be used to validate certificate requests for the profile.
+- Enrollment Method: The enrollment method that should be used to enroll certificates for the profile such as ACME, EST, API, etc.
+
+Depending on which enrollment method you choose, you may be presented with additional enrollment-specific configuration fields.

docs/documentation/platform/pki/certificates/templates.mdx

@@ -2,3 +2,27 @@
 title: "Certificate Templates"
 sidebarTitle: "Templates"
 ---
+
+## Concept
+
+A certificate template is a policy structure specifying permitted attributes for requested certificates. This includes constraints around subject naming conventions, SAN fields, key usages, and extended key usages.
+
+Each certificate requested against a profile is validated against the template bound to that profile. If the request fails any criteria included in the template, the certificate is not issued. This helps administrators enforce uniformity and security standards across all issued certificates.
+
+## Guide to Creating a Certificate Template
+
+To create a certificate template, head to your Certificate Management Project > Certificates > Certificate Templates and press **Create Template**.
+
+TODO: image
+
+Here's some guidance on each field:
+
+- Template Name: The name of the template such as `tls-server`.
+- Description: An optional description for the template.
+- Subject Attributes: A list of common names that can be included in the certificate subject. Each row accepts a fixed value or pattern such as `example.com` or `*.example.com` and whether it is allowed or denied.
+- Subject Alternative Names (SANs): A list of SANs that can appear in the certificate. Each row accepts a SAN type (e.g. DNS, IP, Email, URI), a fixed value or pattern such as `example.com` or `*.example.com`, and an allow or deny flag.
+- Allowed Signature Algorithms: The set of signature algorithms permitted to sign certificates under this template such as `SHA256-RSA`, `SHA512-RSA`, etc.
+- Allowed Key Algorithms: The set of public key algorithms permitted for certificate requests such as `RSA-2048`, `RSA-4096`, etc.
+- Key Usages: The cryptographic purposes of the certificate such as Digital Signature, Key Encipherment, etc.
+- Extended Key Usages: The higher-level intended uses of the certificate such as Server Authentication, Client Authentication, etc.
+- Certificate Validity: The maximum lifetime of certificates that can be requested for certificates validated against this template. You can specify both a duration and unit (days, months, or years).

docs/documentation/platform/pki/enrollment-methods/acme.mdx

@@ -0,0 +1,4 @@
+---
+title: "Certificate Enrollment via ACME"
+sidebarTitle: "ACME"
+---

docs/documentation/platform/pki/enrollment-methods/api.mdx

@@ -0,0 +1,26 @@
+---
+title: "Certificate Enrollment via API"
+sidebarTitle: "API"
+---
+
+<Tabs>
+  <Tab title="API">
+    <ul>
+      <li>
+        Enable Auto-Renewal: Whether or not to opt-in issued certificates for
+        (server-side) auto-renewal.
+      </li>
+      <li>
+        Auto-Renewal Days: The number of days before the certificate expires to
+        trigger certificate renewal.
+      </li>
+    </ul>
+    <Note>
+      Note that auto-renewal only applies to certificates issued through
+      CSR-less enrollment where key generation is done internally by
+      Infisical; conversely certificates issued via CSR submission are not eligible for auto-renewal.
+    </Note>
+
+  </Tab>
+  <Tab title="EST">Test</Tab>
+</Tabs>

docs/documentation/platform/pki/enrollment-methods/est.mdx

@@ -0,0 +1,4 @@
+---
+title: "Certificate Enrollment via EST"
+sidebarTitle: "EST"
+---

docs/documentation/platform/pki/enrollment-methods/scep.mdx

@@ -0,0 +1,4 @@
+---
+title: "Certificate Enrollment via SCEP"
+sidebarTitle: "SCEP"
+---