Clarify adminconsole certs

deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md

@@ -31,6 +31,8 @@ Proxy certificate
 
     After the certificates have been installed, connecting securely to {{es}}, {{kib}}, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors.
 
+Adminconsole certificate
+:   This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend reusing the UI certificate for this purpose.
 
 
 ## Before you begin [ece_before_you_begin_7] 
@@ -60,6 +62,19 @@ The PEM file should be structured like this:
 
 Each key and certificate would be generated by you or your IT team.
 
+::::{note} 
+{{ece}} requires the private key to begin with the header `-----BEGIN RSA PRIVATE KEY-----`. If your key instead starts with a different header, such as `-----BEGIN PRIVATE KEY-----` (without `RSA`), an error occurs:
+
+```json
+{
+    "code" : "cert.invalid_cert_chain",
+    "message" : "Certificate chain was invalid [Invalid Entry: expected unencrypted rsa private key (is start of file corrupted?)]"
+}
+```
+
+We recommend reviewing the documentation for your certificate generation tool to learn how to obtain the private key header expected by {{ece}}. For example, if you use OpenSSL, you can add the `-traditional` option when generating the key.
+::::
+
 
 ## Get existing ECE security certificates [ece-existing-security-certificates] 
 
@@ -295,6 +310,25 @@ To add a proxy certificate from the command line:
     openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect HOSTNAME_OR_IP:9343 < /dev/zero
     ```
 
+## Add an Adminconsole certificate [ece-tls-adminconsole] 
+
+::::{note} 
+In {{ece}}, this certificate is treated identically to the [Cloud UI certificate](#ece-tls-ui). You can use the same certificate bundle generated for Cloud UI.
+::::
+
+To add an Adminconsole certificate from the Cloud UI:
+
+1. [Log into the Cloud UI](../../deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Settings**.
+3. Under **TLS settings** for the Adminconsole, choose **Upload new certificate** and select a concatenated file containing your RSA private key, server certificate, and CA certificate. Upload the selected file.
+
+To get the details of the certificate you added, select **Show certificate chain**.
+
+You can verify the new certificate chain by using the openssl command:
+
+    ```
+    openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect containerhost:12343 < /dev/zero
+    ```
 
 
 ## Limitations [ece-tls-limitations]