Backport of Add notes on the PKI cert generation forwarding regression into stable-website

website/content/docs/upgrading/upgrade-to-1.8.x.mdx

@@ -43,6 +43,7 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note:
 
 @include 'entity-alias-mapping.mdx'
 
+@include 'pki-forwarding-bug.mdx'
 ## Known Issues
 
 - MSSQL integrations (storage and secrets engine) will crash with a "panic: not implemented" error

website/content/docs/upgrading/upgrade-to-1.9.x.mdx

@@ -95,6 +95,8 @@ respects the order of suites given in `tls_cipher_suites`.
 
 See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information.
 
+@include 'pki-forwarding-bug.mdx'
+
 ## Known Issues
 
 ### Identity Token Backend Key Rotations

website/content/partials/pki-forwarding-bug.mdx

@@ -0,0 +1,10 @@
+## PKI Certificate Generation Forwarding Regression
+
+A bug introduced in Vault 1.8 causes certificate generation requests to the PKI secrets engine made on a performance
+secondary node to be forwarded to the cluster's primary node. The resulting certificates are stored on the primary node, 
+and thus visible to list and read certificate requests only on the primary node rather than the secondary node as 
+intended.  Furthermore, if a certificate is subsequently revoked on a performance secondary node, the secondary's 
+certificate revocation list is updated, rather than the primary's where the certificate is stored.  This bug is fixed 
+in Vault 1.8.8 and 1.9.3.  
+Certificates issued after the fix are correctly stored locally to the performance secondary.
+