docs: require well-known CA-signed TLS certs for enterprise install

[ak684]

Summary

• Updates the Enterprise Quick Start TLS guidance to explicitly require a certificate signed by a well-known certificate authority, and notes that self-signed certs are not supported for the OpenHands application.
• Scoped change: the existing warning about the Replicated Admin Console's hardcoded self-signed cert is left untouched since that behavior is outside our control and is factually accurate.

Context

From a recent discussion with the field team (JM, Rajiv, Joe): since Enterprise trials are explicitly the self-hosted path, customers' network/IT teams are unlikely to issue self-signed certs, and we should steer POCs toward well-known CA-signed certs rather than leaving the door open to self-signed.

Test plan

• Mintlify preview renders the updated TLS Setup section correctly
• Wording reads clearly for a first-time enterprise installer

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
all-hands-ai	🟢 Ready	View Preview	Apr 21, 2026, 8:38 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[all-hands-bot]

Taste Rating: 🟢 Good taste - Clear, actionable documentation improvement that solves a real field problem.

[RISK ASSESSMENT]

• [Overall PR] ⚠️ Risk Assessment: 🟢 LOW
  Documentation-only change that improves security guidance for enterprise installations. No code, infrastructure, or breaking changes. Scoped appropriately.

VERDICT:
✅ Worth merging: Clean documentation update with clear, professional wording.

KEY INSIGHT:
Steering enterprise users toward well-known CA-signed certificates eliminates a common source of installation confusion and aligns with production security best practices.