fix: enable AssumeRoleWithCertificate API only when asked (#13410)

This is a breaking change but we need to do this to avoid
issues discussed in #13409 based on discussions from #13371

fixes #13371
fixes #13409

docs/sts/tls.md

@@ -16,9 +16,9 @@ ARGS:
 MINIO_IDENTITY_TLS_SKIP_VERIFY  (on|off)    trust client certificates without verification. Defaults to "off" (verify)
 ```
 
-The MinIO TLS STS API is enabled by default. However, it can be completely *disabled* by setting:
+The MinIO TLS STS API is disabled by default. However, it can be *enabled* by setting environment variable:
 ```
-MINIO_IDENTITY_TLS_ENABLE=off
+export MINIO_IDENTITY_TLS_ENABLE=on
 ```
 
 ## Example
@@ -102,6 +102,11 @@ The returned credentials expiry after a certain period of time that can be confi
 
 Further, the temp. S3 credentials will never out-live the client certificate. For example, if the `MINIO_IDENTITY_TLS_STS_EXPIRY` is 7 days but the certificate itself is only valid for the next 3 days, then MinIO will return S3 credentials that are valid for 3 days only.
 
+## Caveat
+
+*Applications that use direct S3 API will work fine, however interactive users uploading content using (when POSTing to the presigned URL an app generates) a popup becomes visible on browser to provide client certs, you would have to manually cancel and continue. This may be annoying to use but there is no workaround for now.*
+
+
 ## Explore Further
 - [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html)
 - [The MinIO documentation website](https://docs.min.io)