Clarify how certificate fingerprints work for Fleet Server

[vishaangelova]

Summary

This PR:

• Adds clarifications for configuring CA fingerprints
• Adds a document that explains how CA fingerprints work and clarifies the difference between CA fingerprints and CA files.

Generative AI disclosure

1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?

• Yes
• No

2. If you answered "Yes" to the previous question, please specify the tool(s) and model(s) used (e.g., Google Gemini, OpenAI ChatGPT-4, etc.).

Tool(s) and model(s) used: Cursor 2.4.36 with claude-4.5-sonnet

Preview

• reference/fleet/certificate-fingerprints.md
• reference/fleet/agent-command-reference.md
• reference/fleet/agent-environment-variables.md
• reference/fleet/certificates-rotation.md
• reference/fleet/elastic-agent-ssl-configuration.md
• reference/fleet/es-output-settings.md
• reference/fleet/secure-connections.md
• reference/fleet/secure.md

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

🔍 Preview links for changed docs

• reference/fleet/certificate-fingerprints.md
• reference/fleet/agent-command-reference.md
• reference/fleet/agent-environment-variables.md
• reference/fleet/certificates-rotation.md
• reference/fleet/elastic-agent-ssl-configuration.md
• reference/fleet/es-output-settings.md
• reference/fleet/secure-connections.md
• reference/fleet/secure.md

[vishaangelova]

Is it correct to mark this document as serverless: unavailable?

[belimawr]

I don't think so. The TLS validation is independent of the Elasticsearch deployment type.

However, if an user is connecting to a serverless Elasticsearch, they don't need to set certificate authorities or fingerprint because Elastic always use trusted certificates. This is valid for both, serverless and ECH.