docs(security): add section about managing the root certificates

docs/en/security/security.rst

@@ -177,6 +177,23 @@ UART Download Mode
         It is highly recommended to verify the identity of the server based on X.509 certificates to avoid establishing communication with the **fake** server.
 
 
+    Managing Root Certificates
+    ^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+    Root Certificates embedded inside the application must be managed carefully. Any update to the root certificate list or the :doc:`../api-reference/protocols/esp_crt_bundle` can have an impact on the TLS connection with the remote endpoint. This includes a connection to the OTA update server. In some cases, the problem shall be visible on the next OTA update and it may leave device unable to perform OTA updates forever.
+
+    Root certificates list update could have following reasons:
+
+    - New firmware has different set of remote endpoint(s).
+    - Existing certificate has expired.
+    - The certificate has been added or retracted from the upstream certificate bundle.
+    - The certificate list changed due to market share statistics (``CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN`` case).
+
+    Some guidelines to consider on this topic:
+
+    - Please consider enabling :ref:`OTA rollback <ota_rollback>` and then keep the successful connection to the OTA update server as the checkpoint to cancel the rollback process. This ensures that the newly updated firmware can successfully reach till the OTA update server, otherwise rollback process will go back to the previous firmware on the device.
+    - If you plan to enable the :ref:`CONFIG_MBEDTLS_HAVE_TIME_DATE` option then please consider to have sufficient number of trusted certificates and the time sync mechanism (SNTP) in place.
+
 Product Security
 ----------------