Clarify adminconsole certs (#2754)

## Description
To address issue: #2747 

Two main edits:

* To generate RSA private key, it needs to have `-----BEGIN RSA PRIVATE
KEY-----` (openssl with `-traditional` option but not default one) and
must not be `-----BEGIN PRIVATE KEY-----`, otherwise user will get
`cert.invalid_cert_chain` error.
* (I discussed this with @geekpete and @mailahmeduk for quite in-depth
about how to get around of this issue so I'd like to explicitly call
this out)
* Add the doc part for `Adminconsole` cert added in ECE 3.8 (maybe
@eedugon I need to raise issue in our internal cloud repo and back port
it to 3.8?)

## Reviewers

* Requested @AlexP-Elastic or @beiske for your review as you are the
reporter of this adminconsole cert issue internally
([this](https://elasticco.atlassian.net/browse/CP-11302) and
[this](https://elasticco.atlassian.net/browse/CP-11126))
* Also, docs team, please help review from docs perspective 🙏 


## Preview
* Before PR merge:
[deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2754/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates)
* After PR merge:
https://www.elastic.co/docs/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates

---

Thank you!

---------

Co-authored-by: Edu González de la Herrán <[email protected]>

Author: kunisen

deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md

@@ -31,6 +31,8 @@ Proxy certificate
 
     After the certificates have been installed, connecting securely to {{es}}, {{kib}}, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors.
 
+Adminconsole certificate
+:   This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend using the same certificate as the one configured for the Cloud UI.
 
 
 ## Before you begin [ece_before_you_begin_7] 
@@ -60,6 +62,19 @@ The PEM file should be structured like this:
 
 Each key and certificate would be generated by you or your IT team.
 
+::::{note} 
+{{ece}} requires the private key to begin with the header `-----BEGIN RSA PRIVATE KEY-----`. If your key instead starts with a different header, such as `-----BEGIN PRIVATE KEY-----` (without `RSA`), an error occurs:
+
+```json
+{
+    "code" : "cert.invalid_cert_chain",
+    "message" : "Certificate chain was invalid [Invalid Entry: expected unencrypted rsa private key (is start of file corrupted?)]"
+}
+```
+
+Review the documentation for your certificate generation tool to determine how to obtain the private key header expected by {{ece}}. For example, with OpenSSL you can add the `-traditional` option when generating the key.
+::::
+
 
 ## Get existing ECE security certificates [ece-existing-security-certificates] 
 
@@ -295,6 +310,25 @@ To add a proxy certificate from the command line:
     openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect HOSTNAME_OR_IP:9343 < /dev/zero
     ```
 
+## Add an Adminconsole certificate [ece-tls-adminconsole] 
+
+::::{note} 
+In {{ece}}, this certificate is treated identically to the [Cloud UI certificate](#ece-tls-ui). You can use the same certificate bundle generated for Cloud UI.
+::::
+
+To add an Adminconsole certificate from the Cloud UI:
+
+1. [Log into the Cloud UI](../../deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Settings**.
+3. Under **TLS settings** for the Adminconsole, choose **Upload new certificate** and select a concatenated file containing your RSA private key, server certificate, and CA certificate. Upload the selected file.
+
+To get the details of the certificate you added, select **Show certificate chain**.
+
+You can verify the new certificate chain by using the openssl command:
+
+    ```
+    openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect containerhost:12343 < /dev/zero
+    ```
 
 
 ## Limitations [ece-tls-limitations]