Add include Root CA on PKI syncs docs

docs/documentation/platform/pki/certificate-syncs/aws-certificate-manager.mdx

@@ -39,6 +39,7 @@ These permissions allow Infisical to list, import, tag, and manage certificates
 
         - **Enable Removal of Expired/Revoked Certificates**: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
         - **Preserve ARN on Renewal**: If enabled, Infisical will sync renewed certificates to the destination under the same ARN as the original synced certificate instead of creating a new certificate with a new ARN.
+        - **Include Root CA**: If enabled, the Root CA certificate will be included in the certificate chain when syncing to AWS Certificate Manager. If disabled, only intermediate certificates will be included.
         - **Certificate Name Schema** (Optional): Customize how certificate tags are generated in AWS Certificate Manager. Must include `{{certificateId}}` as a placeholder for the certificate ID to ensure proper certificate identification and management. If not specified, defaults to `Infisical-{{certificateId}}`.
         - **Auto-Sync Enabled**: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
 
@@ -86,6 +87,7 @@ These permissions allow Infisical to list, import, tag, and manage certificates
             "syncOptions": {
                 "canRemoveCertificates": true,
                 "preserveArnOnRenewal": true,
+                "includeRootCa": false,
                 "certificateNameSchema": "myapp-{{certificateId}}"
             },
             "destinationConfig": {
@@ -110,6 +112,7 @@ These permissions allow Infisical to list, import, tag, and manage certificates
                 "syncOptions": {
                     "canRemoveCertificates": true,
                     "preserveArnOnRenewal": true,
+                    "includeRootCa": false,
                     "certificateNameSchema": "myapp-{{certificateId}}"
                 },
                 "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",

docs/documentation/platform/pki/certificate-syncs/aws-secrets-manager.mdx

@@ -41,6 +41,7 @@ Any role with these permissions would work such as a custom policy with **Secret
 
             - **Enable Removal of Expired/Revoked Certificates**: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
             - **Preserve Secret on Renewal**: Only applies to certificate renewals. When a certificate is renewed in Infisical, this option controls how the renewed certificate is handled. If enabled, the renewed certificate will update the existing secret, preserving the same secret name. If disabled, the renewed certificate will be created as a new secret with a new name.
+            - **Include Root CA**: If enabled, the Root CA certificate will be included in the certificate chain when syncing to AWS Secrets Manager. If disabled, only intermediate certificates will be included.
             - **Certificate Name Schema** (Optional): Customize how secret names are generated in AWS Secrets Manager. Use `{{certificateId}}` as a placeholder for the certificate ID.
             - **Auto-Sync Enabled**: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
 
@@ -119,6 +120,7 @@ Any role with these permissions would work such as a custom policy with **Secret
                 "canRemoveCertificates": true,
                 "preserveSecretOnRenewal": true,
                 "canImportCertificates": false,
+                "includeRootCa": false,
                 "certificateNameSchema": "myapp-{{certificateId}}",
                 "fieldMappings": {
                     "certificate": "ssl_cert",
@@ -152,6 +154,7 @@ Any role with these permissions would work such as a custom policy with **Secret
                 "canRemoveCertificates": true,
                 "preserveSecretOnRenewal": true,
                 "canImportCertificates": false,
+                "includeRootCa": false,
                 "certificateNameSchema": "infisical-{{certificateId}}",
                 "fieldMappings": {
                     "certificate": "certificate",
@@ -184,6 +187,7 @@ Any role with these permissions would work such as a custom policy with **Secret
                     "canRemoveCertificates": true,
                     "preserveSecretOnRenewal": true,
                     "canImportCertificates": false,
+                    "includeRootCa": false,
                     "certificateNameSchema": "myapp-{{certificateId}}",
                     "fieldMappings": {
                         "certificate": "ssl_cert",

docs/documentation/platform/pki/certificate-syncs/azure-key-vault.mdx

@@ -40,6 +40,7 @@ Any role with these permissions would work such as the **Key Vault Certificates
 
             - **Enable Removal of Expired/Revoked Certificates**: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
             - **Enable Versioning on Renewal**: If enabled, Infisical will sync renewed certificates to the destination under a new version of the original synced certificate instead of creating a new certificate.
+            - **Include Root CA**: If enabled, the Root CA certificate will be included in the certificate chain when syncing to Azure Key Vault. If disabled, only intermediate certificates will be included.
             - **Certificate Name Schema** (Optional): Customize how certificate names are generated in Azure Key Vault. Use `{{certificateId}}` as a placeholder for the certificate ID. If not specified, defaults to `Infisical-{{certificateId}}`.
             - **Auto-Sync Enabled**: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
 
@@ -93,6 +94,7 @@ Any role with these permissions would work such as the **Key Vault Certificates
             "syncOptions": {
                 "canRemoveCertificates": true,
                 "enableVersioningOnRenewal": true,
+                "includeRootCa": false,
                 "certificateNameSchema": "myapp-{{certificateId}}"
             },
             "destinationConfig": {
@@ -117,6 +119,7 @@ Any role with these permissions would work such as the **Key Vault Certificates
                 "syncOptions": {
                     "canRemoveCertificates": true,
                     "enableVersioningOnRenewal": true,
+                    "includeRootCa": false,
                     "certificateNameSchema": "myapp-{{certificateId}}"
                 },
                 "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",

docs/documentation/platform/pki/certificate-syncs/chef.mdx

@@ -40,6 +40,7 @@ Any role with these permissions would work such as a custom role with **Data Bag
 
             - **Enable Removal of Expired/Revoked Certificates**: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
             - **Preserve Data Bag Item on Renewal**: Only applies to certificate renewals. When a certificate is renewed in Infisical, this option controls how the renewed certificate is handled. If enabled, the renewed certificate will update the existing data bag item, preserving the same item name. If disabled, the renewed certificate will be created as a new data bag item with a new name.
+            - **Include Root CA**: If enabled, the Root CA certificate will be included in the certificate chain when syncing to Chef data bags. If disabled, only intermediate certificates will be included.
             - **Certificate Name Schema** (Optional): Customize how certificate item names are generated in Chef data bags. Use `{{certificateId}}` as a placeholder for the certificate ID.
             - **Auto-Sync Enabled**: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
 
@@ -120,6 +121,7 @@ Any role with these permissions would work such as a custom role with **Data Bag
                 "canRemoveCertificates": true,
                 "preserveSecretOnRenewal": true,
                 "canImportCertificates": false,
+                "includeRootCa": false,
                 "certificateNameSchema": "myapp-{{certificateId}}",
                 "fieldMappings": {
                     "certificate": "ssl_cert",
@@ -152,6 +154,7 @@ Any role with these permissions would work such as a custom role with **Data Bag
                 "canRemoveCertificates": true,
                 "preserveSecretOnRenewal": true,
                 "canImportCertificates": false,
+                "includeRootCa": false,
                 "certificateNameSchema": "{{commonName}}-{{certificateId}}",
                 "fieldMappings": {
                     "certificate": "certificate",
@@ -183,6 +186,7 @@ Any role with these permissions would work such as a custom role with **Data Bag
                     "canRemoveCertificates": true,
                     "preserveSecretOnRenewal": true,
                     "canImportCertificates": false,
+                    "includeRootCa": false,
                     "certificateNameSchema": "myapp-{{certificateId}}",
                     "fieldMappings": {
                         "certificate": "ssl_cert",

docs/documentation/platform/pki/certificate-syncs/overview.mdx

@@ -83,6 +83,7 @@ should be synced. Follow these steps to start syncing:
    - <strong>Certificates:</strong> The certificates you wish to push to the destination.
    - <strong>Options:</strong> Customize how certificates should be synced, including:
      - Whether certificates should be removed from the destination when they expire.
+     - Whether to include the Root CA certificate in the certificate chain.
      - Certificate naming schema to control how certificate names are generated in
      the destination.