Documentation update for issue #67

[quantstruct-canvas-preview]

Attempt to resolve issue 67

The secure traffic docs for NIM and NGINX Agent currently cover enabling TLS and mTLS but do not explain certificate revocation checks. To prevent users from unknowingly trusting revoked certificates, we should:

• Add a dedicated revocation section to the NGINX Agent “Encrypt communication” page that:

  • Explains CRL and OCSP concepts, prerequisites (time sync, CRL/OCSP reachability, short-lived certs).
  • Provides practical, supported examples:
    • Server side (NIM validating Agent client certs) using NGINX in front of NIM to enforce mTLS and CRL checking of client certs via ssl_crl.
    • Hardening the server cert side with OCSP stapling (ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate ...) so agents receive stapled status.
  • Clearly states current limitations where applicable (e.g., OCSP checks for client certs are not supported by NGINX; use CRLs for client cert revocation; Agent does not itself perform OCSP/CRL verification of the server cert, so rely on strong CA pinning, short-lived certs, and server-side stapling).

• Strengthen the Agent install page to warn that insecure flags bypass both chain and revocation validation, provide a quick pre-check command, and link to the new revocation section.

• Update the “configure-nginx-plus-report-to-nim” include to add a note about revocation considerations for the usage_report HTTPS connection and direct users to the revocation section and best practices.

These changes keep guidance accurate (no unsupported Agent-side OCSP/CRL knobs), deliver actionable NGINX config for enforcing client cert CRLs, and add clear cautions.