[Docs] Append more explanation to Configuring Kibana (elastic#15615)

docs/setup/settings.asciidoc

@@ -33,7 +33,7 @@ Specify the position of the subdomain the URL with the token `{s}`.
 
 [[regionmap-settings]] `regionmap`:: Specifies additional vector layers for use in <<regionmap, Region Map>> visualizations.
 Each layer object points to an external vector file that contains a geojson FeatureCollection.
-The file must use the [WGS84 coordinate reference system](https://en.wikipedia.org/wiki/World_Geodetic_System) and only include polygons. 
+The file must use the [WGS84 coordinate reference system](https://en.wikipedia.org/wiki/World_Geodetic_System) and only include polygons.
 If the file is hosted on a separate domain from Kibana, the server needs to be CORS-enabled so Kibana can download the file.
 The following example shows a valid regionmap configuration.
 
@@ -60,16 +60,16 @@ these settings provide the username and password that the Kibana server uses to
 startup. Your Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.
 `server.ssl.enabled`:: *Default: "false"* Enables SSL for outgoing requests from the Kibana server to the browser. When set to `true`, `server.ssl.certificate` and `server.ssl.key` are required
 `server.ssl.certificate:` and `server.ssl.key:`:: Paths to the PEM-format SSL certificate and SSL key files, respectively.
-`server.ssl.keyPassphrase`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
-`server.ssl.certificateAuthorities`:: List of paths to PEM encoded certificate files that should be trusted.
-`server.ssl.supportedProtocols`:: *Default: TLSv1, TLSv1.1, TLSv1.2*  Supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
-`server.ssl.cipherSuites`:: *Default: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA*. Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT)
+`server.ssl.keyPassphrase:`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
+`server.ssl.certificateAuthorities:`:: List of paths to PEM encoded certificate files that should be trusted.
+`server.ssl.supportedProtocols:`:: *Default: TLSv1, TLSv1.1, TLSv1.2*  Supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
+`server.ssl.cipherSuites:`:: *Default: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA*. Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT)
 `elasticsearch.ssl.certificate:` and `elasticsearch.ssl.key:`:: Optional settings that provide the paths to the PEM-format SSL
-certificate and key files. These files validate that your Elasticsearch backend uses the same key files.
-`elasticsearch.ssl.keyPassphrase`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
+certificate and key files. These files are used to verify the identity of Kibana to Elasticsearch and are required when `xpack.ssl.verification_mode` in Elasticsearch is set to either `certificate` or `full`.
+`elasticsearch.ssl.keyPassphrase:`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
 `elasticsearch.ssl.certificateAuthorities:`:: Optional setting that enables you to specify a list of paths to the PEM file for the certificate
 authority for your Elasticsearch instance.
-`elasticsearch.ssl.verificationMode:`:: *Default: full* Controls the verification of certificates. Valid values are `none`, `certificate`, and `full`.
+`elasticsearch.ssl.verificationMode:`:: *Default: full* Controls the verification of certificates presented by Elasticsearch. Valid values are `none`, `certificate`, and `full`.
 `full` performs hostname verification, and `certificate` does not.
 `elasticsearch.pingTimeout:`:: *Default: the value of the `elasticsearch.requestTimeout` setting* Time in milliseconds to
 wait for Elasticsearch to respond to pings.
@@ -84,19 +84,19 @@ to 0 to disable.
 `elasticsearch.startupTimeout:`:: *Default: 5000* Time in milliseconds to wait for Elasticsearch at Kibana startup before
 retrying.
 `pid.file:`:: Specifies the path where Kibana creates the process ID file.
-`path.data`:: *Default: `./data`* The path where Kibana stores persistent data not saved in Elasticsearch
+`path.data:`:: *Default: `./data`* The path where Kibana stores persistent data not saved in Elasticsearch
 `logging.dest:`:: *Default: `stdout`* Enables you specify a file where Kibana stores log output.
 `logging.silent:`:: *Default: false* Set the value of this setting to `true` to suppress all logging output.
 `logging.quiet:`:: *Default: false* Set the value of this setting to `true` to suppress all logging output other than
 error messages.
-`logging.verbose`:: *Default: false* Set the value of this setting to `true` to log all events, including system usage
+`logging.verbose:`:: *Default: false* Set the value of this setting to `true` to log all events, including system usage
 information and all requests.
-`ops.interval`:: *Default: 5000* Set the interval in milliseconds to sample system and process performance metrics.
+`ops.interval:`:: *Default: 5000* Set the interval in milliseconds to sample system and process performance metrics.
 The minimum value is 100.
-`status.allowAnonymous`:: *Default: false* If authentication is enabled, setting this to `true` allows
+`status.allowAnonymous:`:: *Default: false* If authentication is enabled, setting this to `true` allows
 unauthenticated users to access the Kibana server status API and status page.
-`cpu.cgroup.path.override`:: Override for cgroup cpu path when mounted in manner that is inconsistent with `/proc/self/cgroup`
-`cpuacct.cgroup.path.override`:: Override for cgroup cpuacct path when mounted in manner that is inconsistent with `/proc/self/cgroup`
+`cpu.cgroup.path.override:`:: Override for cgroup cpu path when mounted in manner that is inconsistent with `/proc/self/cgroup`
+`cpuacct.cgroup.path.override:`:: Override for cgroup cpuacct path when mounted in manner that is inconsistent with `/proc/self/cgroup`
 `console.enabled`:: *Default: true* Set to false to disable Console.  Toggling this will cause the server to regenerate assets on the next startup, which may cause a delay before pages start being served.
 
 `elasticsearch.tribe.url:`:: Optional URL of the Elasticsearch tribe instance to use for all your
@@ -106,7 +106,7 @@ these settings provide the username and password that the Kibana server uses to
 startup. Your Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.
 `elasticsearch.tribe.ssl.certificate:` and `elasticsearch.tribe.ssl.key:`:: Optional settings that provide the paths to the PEM-format SSL
 certificate and key files. These files validate that your Elasticsearch backend uses the same key files.
-`elasticsearch.tribe.ssl.keyPassphrase`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
+`elasticsearch.tribe.ssl.keyPassphrase:`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
 `elasticsearch.tribe.ssl.certificateAuthorities:`:: Optional setting that enables you to specify a path to the PEM file for the certificate
 authority for your tribe Elasticsearch instance.
 `elasticsearch.tribe.ssl.verificationMode:`:: *Default: full* Controls the verification of certificates. Valid values are `none`, `certificate`, and `full`. `full` performs hostname verification, and `certificate` does not.