clarify x509 rotation doc (#2485)

stormshield-gt · web-flow · commit 02bcdf5a5628 · 2026-03-16T17:05:53.000-05:00
Signed-off-by: stormshield-gt &lt;tudy.gourmelen@stormshield.eu&gt;
diff --git a/website/content/docs/secrets/pki/rotation-primitives.mdx b/website/content/docs/secrets/pki/rotation-primitives.mdx
@@ -472,22 +472,20 @@ automation level and operational awareness of the organization.
    manually and proactively. This step takes time, and depends on the
    types of certificates issued (e.g., server certs, code signing, or client
    auth).
-
-4. Once _all_ chains have been updated, new systems can be brought online
-   with only the new root certificate, and connect to all existing systems.
-
-5. Existing systems can now be migrated with a one-shot root switch: the
-   new root can be added and the old root can be removed at the same time.
-   Assuming the above step 3 can be achieved in a reasonable amount of time,
-   this decreases the time it takes to move the majority of systems over to
-   fully using the new root and no longer trusting the old root. This step
-   also takes time, depending on how quickly the organization can migrate
-   roots and ensure all such systems are migrated. If some systems are
-   offline and only infrequently online (or, if they have hard-coded
-   certificate stores and need to reach obsolescence first), the organization
-   might not be ready to move on to future steps.
-
-6. At this point, since all systems now use the new root, it is safe to remove
+4. Once _all_ chains have been updated:
+  - New systems can be brought online
+    with only the new root certificate, and connect to all existing systems.
+  - Existing systems can now be migrated with a one-shot root switch: the
+    new root can be added and the old root can be removed at the same time.
+    Assuming the above step 3 can be achieved in a reasonable amount of time,
+    this decreases the time it takes to move the majority of systems over to
+    fully using the new root and no longer trusting the old root. This step
+    also takes time, depending on how quickly the organization can migrate
+    roots and ensure all such systems are migrated. If some systems are
+    offline and only infrequently online (or, if they have hard-coded
+    certificate stores and need to reach obsolescence first), the organization
+    might not be ready to move on to future steps.
+5. At this point, since all systems now use the new root, it is safe to remove
    or archive the old root and intermediates, updating the manual chain to
    point strictly to the new intermediate+root.
 
