If this cert is for admin console and NOT for CloudUI, the verification should be through API rest calls, or?
What is the adminconsole certificate for exactly?

Step "3. Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Cloud UI over HTTPS in your web browser" looks not valid for this certificate verification.

^^ The previous is valid to validate the Cloud UI certificate, not adminconsole cert.

cc: @AlexP-Elastic

IIUC, this cert is only used for port 12343 (not 12443, which is used as cloud UI cert, and that cert handles both UI and API request). And this cert is only used when 12443 is not accessible, as diagnostic usage for API access. Details in my comment - #2754 (comment)

(I might be wrong - please correct me. I don't have the best wording. But I hope via this doc PR we could find a good wording solution for this and we could have fewer customer cases in the future :) )

Interesting, thanks for sharing.

I wouldn't remove then the text about API calls in cloudUI cert, as that cert is actually the one valid for the most common API calls made by our users (on port 12443).

Thanks @eedugon for being patient. I added back.
Could you check if this time it looks good from docs perspective please?

Personally I think I would remove steps 2 and 3 from To add an Adminconsole certificate from the command line: and leave the openssl as the only test option (nobody should be doing this anyway, no reason not add AC cert from the UI unless the UI is down - maybe we can add that)

I don't think this is right

The Cloud UI certificate is for API and UI calls

The Adminconsole certificate allow secure connection to an alternative API port that can be used in incidents scenario where the UI is down (very rare). We recommend re-using the UI certificate for this.

Thank you @AlexP-Elastic

Updated with the suggestion:

- :   Used to connect securely to make RESTful API calls.

+ :   This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend reusing the UI certificate for this purpose.

Also @AlexP-Elastic I made the change according based on your 2nd comment - #2754 (comment) too:

(Hard to copy things out and mostly the screenshots is visibly evident enough...)

Personally I think I would remove steps 2 and 3 from To add an Adminconsole certificate from the command line: and leave the openssl as the only test option (nobody should be doing this anyway, no reason not add AC cert from the UI unless the UI is down - maybe we can add that)