Address review comments and add explain CSR monitor

Author: hjiawei

calico-enterprise/getting-started/bare-metal/troubleshoot.mdx

@@ -4,7 +4,7 @@ description: Troubleshoot non-cluster hosts and VMs setup
 
 # Troubleshoot non-cluster hosts and VMs setup
 
-This document provides guidance for troubleshooting non-cluster host setup for hosts and VMs.
+This document provides guidance for troubleshooting Calico running on hosts and VMs outside of a cluster.
 
 ## Useful commands
 
@@ -24,21 +24,44 @@ kubectl logs -n calico-system -l k8s-app=calico-typha-noncluster-host
 kubectl logs -n tigera-manager -l k8s-app=tigera-manager -c tigera-voltron
 ```
 
-Monitor CertificateSigningRequests (CSR):
+You can monitor CertificateSigningRequests (CSR) by running:
 
 ```bash
 kubectl get certificatesigningrequest -w
 ```
 
+Monitoring CSRs is useful for debugging certificates used for Calico Node and Typha mutual TLS (mTLS) communication. The automatic CSR approval and signing flow can fail in several ways. For example:
+
+- The CSR request might not be created or submitted correctly.
+- The Tigera Operator CSR controller might not process it.
+- The Tigera Operator signer might reject the request due to invalid fields or missing permission.
+
+When such failure occur, the CSR status object contains detailed condition and error messages that help identify the root cause.
+
 ## Common problems
 
 ### No internet connection after installing the Calico Node package
 
 By default, $[prodname] blocks all traffic to and from host interfaces. You can use a profile with host endpoints to modify default behavior. Apply the built-in profile `projectcalico-default-allow`, which allows all ingress and egress traffic. Host endpoints that use this profile will have *allow-all* behavior instead of *deny-all* when no network policy is applied.
 
+Example `HostEndpoint` with the `projectcalico-default-allow` profile:
+
+```yaml
+apiVersion: projectcalico.org/v3
+kind: HostEndpoint
+metadata:
+  name: <endpoint-name>
+spec:
+  interfaceName: <interface-name>
+  node: <node-hostname>
+  expectedIPs: ["<list-of-expected-ips>"]
+  profiles:
+    - projectcalico-default-allow
+```
+
 ### Certificate signed by unknown authority
 
-If the certificate presented by the Kubernetes API server or Tigera Manager endpoint is not signed by a trusted Certificate Authority (CA), add the correct CA certificate to the system trust store. For the Calico fluent-bit log forwarding, you can temporarily disable TLS verification by setting:
+If the certificate presented by the Kubernetes API server or Tigera Manager endpoint is not signed by a trusted Certificate Authority (CA), add the correct CA certificate to the system trust store. Alternatively, for the Calico fluent-bit log forwarder, you can temporarily disable TLS verifications by setting:
 
 ```conf
 [OUTPUT]