SSH: report signing error reason, and clarify docs re. non-RSA CA keys (

#11036)

* SSH: report signing error reason, and clarify docs re. non-RSA CA keys

See #10067

* Update website/content/api-docs/secret/ssh.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

website/content/api-docs/secret/ssh.mdx

@@ -211,9 +211,10 @@ This endpoint creates or updates a named role.
   and their expected sizes which are allowed to be signed by the CA type.
 
 - `algorithm_signer` `(string: "")` - Algorithm to sign keys with. Valid
-  values are `ssh-rsa`, `rsa-sha2-256`, and `rsa-sha2-512`. Note that `ssh-rsa`
-  is now considered insecure and is not supported by current OpenSSH versions.
-  If not specified, it will use the signer's default algorithm.
+  values are `ssh-rsa`, `rsa-sha2-256`, and `rsa-sha2-512`. This value may be left
+  blank to use the signer's default algorithm, and must be left blank for CA key types
+  other than RSA. Note that `ssh-rsa` is now considered insecure and is not
+  supported by current OpenSSH versions.
 
 ### Sample Payload
 
@@ -640,8 +641,10 @@ overridden._
   pair; required if `generate_signing_key` is false.
 
 - `generate_signing_key` `(bool: true)` – Specifies if Vault should generate
-  the signing key pair internally. The generated public key will be returned so
-  you can add it to your configuration.
+  the signing key pair internally. If `true`, an RSA key pair is generated, and
+  the generated public key is returned so you can add it to your configuration.
+  If `false`, then you must provide `private_key` and `public_key`, but these
+  can be of any valid signing key type.
 
 ### Sample Payload