Add page summarizing one-way and mutual TLS connections flow

Author: kilfoyle

docs/en/ingest-management/images/tls-overview-mutual-all.jpg

@@ -99,6 +99,8 @@ include::security/certificates-rotation.asciidoc[leveloffset=+2]
 
 include::security/mutual-tls.asciidoc[leveloffset=+2]
 
+include::security/tls-overview.asciidoc[leveloffset=+2]
+
 include::security/logstash-certificates.asciidoc[leveloffset=+2]
 
 include::fleet/fleet.asciidoc[leveloffset=+1]

docs/en/ingest-management/images/tls-overview-mutual-fs-agent.png

@@ -7,6 +7,8 @@ in the {stack}.
 
 For the install settings specific to mutual TLS, as opposed to one-way TLS, refer to <<mutual-tls>>.
 
+For a summary of the connections certifications process between components using either one-way or mutual TLS, refer to <<tls-overview>>.
+
 TIP: Our {ess-product}[hosted {ess}] on {ecloud} provides secure, encrypted
 connections out of the box!
 

docs/en/ingest-management/images/tls-overview-mutual-fs-es.png

@@ -3,6 +3,8 @@
 
 Mutual Transport Layer Security (mTLS) provides a higher level of security and trust compared to one-way TLS, where only the server presents a certificate. It ensures that not only the server is who it claims to be, but the client is also authenticated. This is particularly valuable in scenarios where both parties need to establish trust and validate each other's identities, such as in secure API communication, web services, or remote authentication.
 
+For a summary of the connections certifications process between components using either one-way or mutual TLS, refer to <<tls-overview>>.
+
 * <<mutual-tls-overview>>
 * <<mutual-tls-on-premise>>
 * <<mutual-tls-cloud>>

docs/en/ingest-management/images/tls-overview-oneway-all.jpg

@@ -0,0 +1,80 @@
+[[tls-overview]]
+= One-way and mutual TLS certifications flow
+
+The following is an overview of how the various certificates and certificate authorities (CAs) that you configure using the `elastic-agent install` secure connection options relate to each other.
+
+* <<one-way-tls-connection>>
+* <<mutual-tls-connection>>
+
+[discrete]
+[[one-way-tls-connection]]
+== Simple one-way TLS connection
+
+The following install command configures a {fleet-server} with the required certificates and certificate authorities to enable one-way TLS connections between the components involved:
+
+[source,shell]
+----
+elastic-agent install --url=https://your-fleet-server.elastic.co:443 \
+--certificate-authorities=/path/to/fleet-ca \
+--fleet-server-es=https://es.elastic.com:443 \
+--fleet-server-es-ca=/path/to/es-ca \
+--fleet-server-cert=/path/to/fleet-cert \
+--fleet-server-cert-key=/path/to/fleet-cert-key \
+--fleet-server-service-token=FLEET-SERVER-SERVICE-TOKEN \
+--fleet-server-policy=FLEET-SERVER-POLICY-ID \
+--fleet-server-port=8220
+----
+
+{agent} is configured with `fleet-ca` as the certificate authority it needs to validate certificates from {fleet-server}. 
+
+During the TLS connection setup, {fleet-server} presents its certificate `fleet-cert` to the agent and the agent (as a client) uses `fleet-ca` to validate this certificate. 
+
+image::images/tls-overview-oneway-fs-agent.png[Diagram of one-way TLS connection between Fleet Server and Elastic Agent]
+
+{fleet-server} also establishes a secure connection to an {es} cluster. In this case, {fleet-server} is configured with the certificate authority from {es} `es-ca`. {es} presents its certificate, `es-cert`, and {fleet-server} validates this certificate using certificate authority `es-ca`.
+
+image::images/tls-overview-oneway-fs-es.png[Diagram of one-way TLS connection between Fleet Server and Elasticsearch]
+
+The following diagram shows the one-way TLS connection relationship between components:
+
+image::images/tls-overview-oneway-all.jpg[Diagram of one-way TLS connection between components]
+
+[discrete]
+[[mutual-tls-connection]]
+== Mutual TLS connection
+
+The following install command configures a {fleet-server} with the required certificates and certificate authorities to enable mutual TLS connections between the components involved:
+
+[source,shell]
+----
+elastic-agent install --url=https://your-fleet-server.elastic.co:443 \
+--certificate-authorities=/path/to/fleet-ca,/path/to/agent-ca \
+--elastic-agent-cert=/path/to/agent-cert \
+--elastic-agent-cert-key=/path/to/agent-cert-key \
+--fleet-server-es=https://es.elastic.com:443 \
+--fleet-server-es-ca=/path/to/es-ca \
+--fleet-server-es-cert=/path/to/fleet-es-cert \
+--fleet-server-es-cert-key=/path/to/fleet-es-cert-key \
+--fleet-server-cert=/path/to/fleet-cert \
+--fleet-server-cert-key=/path/to/fleet-cert-key \
+--fleet-server-client-auth=required \
+--fleet-server-service-token=FLEET-SERVER-SERVICE-TOKEN \
+--fleet-server-policy=FLEET-SERVER-POLICY-ID \
+--fleet-server-port=8220
+----
+
+As with the <<one-way-tls-connection,one-way TLS example>>, {agent} is configured with `fleet-ca` as the certificate authority it needs to validate certificates from the {fleet-server}. {fleet-server} presents its certificate `fleet-cert` to the agent and the agent (as a client) uses `fleet-ca` to validate the presented certificate.
+
+To establish a mutual TLS connection, the agent will present its certificate, `agent-cert`, and {fleet-server} will validate this certificate using the `agent-ca` that it has stored in memory.
+
+image::images/tls-overview-mutual-fs-agent.png[Diagram of mutual TLS connection between Fleet Server and Elastic Agent]
+
+{fleet-server} can also establish a mutual TLS connection to the {es} cluster. In this case {fleet-server} is configured with the certificate authority from the {es} `es-ca` and uses this to validate the certificate `es-cert` presented to it by {es}. 
+
+image::images/tls-overview-mutual-fs-es.png[Diagram of mutual TLS connection between Fleet Server and Elasticsearch]
+
+Note that you can also configure mutual TLS for {fleet-server} and {agent} <<mutual-tls-cloud-proxy,using a proxy>>.
+
+The following diagram shows the mutual TLS connection relationship between components:
+
+image::images/tls-overview-mutual-all.jpg[Diagram of mutual TLS connection between components]