Documentation on validating TLS server certificates is confusing

[JeremyRand]

I'm trying to connect to an IPPS printer from GNU/Linux with strict certificate validation. This presumably means I need to tell CUPS what server certificate to expect. Unfortunately, the documentation for this is confusing and ambiguous:

1. https://www.cups.org/doc/encryption.html says "A client can be configured to only communicate with trusted TLS/1.1+ servers and printers by copying the corresponding certificates to the client (see below)", which points to the text "Other platforms only use the client.conf file and PEM-encoded certificates (hostname.crt) and private keys (hostname.key) in the /etc/cups/ssl and ~/.cups/ssl directories." This is confusing since the presence of a private key should be something only the printer has, not CUPS. It is not clear what /etc/cups/ssl/hostname.key is used for, nor is it clear whether /etc/cups/ssl/hostname.crt is the correct place to put the TLS certificate for my printer with that hostname.
2. The text goes on to say "If present, the /etc/cups/ssl/site.crt file defines a site-wide CA certificate that is used to validate server and printer certificates." It is not clear how this functionality relates to the functionality in the previous sentence. Is site.crt used for server certificate validation while hostname.crt is used for something else? Are they both used for server certificate validation, but site.crt must have the CA bit set while hostname.crt must have the CA bit cleared? Are they both used for server certificate validation regardless of the CA bit, but site.crt is used regardless of the printer's hostname while hostname.crt is only used for that hostname?
3. It is not clear whether hostname.crt and site.crt can contain multiple certificates. The usage of PEM encoding suggests that this is possible, but the singular "a site-wide certificate" language suggests the opposite. It is also not clear whether it is possible to specify intermediate certificates to use in chain building, without making those certificates trust anchors.
4. hostname.crt, hostname.key, and site.crt are covered only in https://www.cups.org/doc/encryption.html while /etc/cups/ssl/site.crl is only covered in https://www.cups.org/doc/man-client.conf.html , which is kind of a weird way to separate things. It's also not specified what the format of site.crl is.

Can the documentation be amended to clarify the above points?