The TLS options appear multiple times because there are TLS configurations for various features of the NS. You should configure the options as required. Here are the areas to configure listed within the example chirpstack-network-server.toml file:
- network_server.api: Network Server API (for Application Server to use)
- network_server.gateway.backend: comms between gateway (bridge) ↔ network server
- join_server.servers: for each join server, if you have multiple join servers.
- join_server.default: for the default join server.
- network_controller: for the network controller, if you have one.
- roaming.api: for roaming API. I’m not sure how roaming works, but I guess you would only need it if your devices can roam between networks.
- roaming.servers: similar to roaming.default, but per-server.
- roaming.default: for the default roaming server.
“network_server.gateway” appears to have options for automatically generating certificates for gateway (bridges?).
The join server handles joining and this appears to be part of the application server module.
Of course, we are only talking about what to configure within the NS itself. Do remember to configure TLS in the other components too, such as the Application Server (AS) and Gateway Bridge (GWB). If you want to enable TLS for the backend comms like MQTT, I suppose this means you need to configure TLS for the MQTT broker as well.
I cannot find anything about this option either. It is vaguely mentioned a few times in old posts and also as a command-line option (as-public-id), but there is nothing in the documentation.
I think @brocaar would be better to comment on what this should be (or was).