update docs with a warning about cert chain order (#7908)

docs/examples/PREREQUISITES.md

@@ -26,7 +26,7 @@ Note: If using CA Authentication, described below, you will need to sign the ser
 CA Authentication also known as Mutual Authentication allows both the server and client to verify each others
 identity via a common CA.
 
-We have a CA Certificate which we obtain usually from a Certificate Authority and use that to sign
+We have a CA Certificate which we usually obtain from a Certificate Authority and use that to sign
 both our server certificate and client certificate. Then every time we want to access our backend, we must
 pass the client certificate.
 
@@ -54,6 +54,8 @@ openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set
 
 Once this is complete you can continue to follow the instructions [here](./auth/client-certs/README.md#creating-certificate-secrets)
 
+
+
 ## Test HTTP Service
 
 All examples that require a test HTTP Service use the standard http-svc pod,

docs/user-guide/tls.md

@@ -4,6 +4,9 @@
 
 Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.
 
+!!! warning
+    Ensure that the certificate order is leaf->intermediate->root, otherwise the controller will not be able to import the certificate, and you'll see this error in the logs ```W1012 09:15:45.920000       6 backend_ssl.go:46] Error obtaining X.509 certificate: unexpected error creating SSL Cert: certificate and private key does not have a matching public key: tls: private key does not match public key```
+
 You can generate a self-signed certificate and private key with:
 
 ```bash