From 17adaf6bae0f27f7ee1d3e005e00d41e0f1711b6 Mon Sep 17 00:00:00 2001
From: Alona King <alona@openhands.dev>
Date: Tue, 21 Apr 2026 16:34:31 -0400
Subject: [PATCH 1/2] docs: require well-known CA-signed TLS certs for
 enterprise install

---
 enterprise/quick-start.mdx | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/enterprise/quick-start.mdx b/enterprise/quick-start.mdx
index ac0fd0734..ce3d0d43e 100644
--- a/enterprise/quick-start.mdx
+++ b/enterprise/quick-start.mdx
@@ -126,8 +126,10 @@ You will need a VM to host OpenHands Enterprise. Choose one of the options below
     | `runtime-api.<your-domain>` | `runtime-api.openhands.example.com` |
     | `*.runtime.<your-domain>` | `*.runtime.openhands.example.com` |
 
-    **Obtain a TLS certificate** with SANs (Subject Alternative Names) for all of the above domains,
-    then copy the certificate (`.pem` or `.crt`) and private key (`.pem` or `.key`) to the VM.
+    **Obtain a TLS certificate signed by a well-known certificate authority (CA)**, with SANs
+    (Subject Alternative Names) for all of the above domains, then copy the certificate
+    (`.pem` or `.crt`) and private key (`.pem` or `.key`) to the VM. Self-signed certificates
+    are not supported for the OpenHands application.
 
     <Warning>
       If you don't provide TLS certificates during installation, the Admin Console will use a

From 53f464b6f3fb15f47f8b4e0973e3848776ea38a6 Mon Sep 17 00:00:00 2001
From: Alona <alona@openhands.dev>
Date: Tue, 21 Apr 2026 15:58:47 -0500
Subject: [PATCH 2/2] Apply suggestion from @jlav

Co-authored-by: Joe Laverty <jlav@users.noreply.github.com>
---
 enterprise/quick-start.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/enterprise/quick-start.mdx b/enterprise/quick-start.mdx
index ce3d0d43e..b554560d5 100644
--- a/enterprise/quick-start.mdx
+++ b/enterprise/quick-start.mdx
@@ -126,7 +126,7 @@ You will need a VM to host OpenHands Enterprise. Choose one of the options below
     | `runtime-api.<your-domain>` | `runtime-api.openhands.example.com` |
     | `*.runtime.<your-domain>` | `*.runtime.openhands.example.com` |
 
-    **Obtain a TLS certificate signed by a well-known certificate authority (CA)**, with SANs
+    **Obtain a TLS certificate signed by a well-known certificate authority (CA) such as Let's Encrypt**, with SANs
     (Subject Alternative Names) for all of the above domains, then copy the certificate
     (`.pem` or `.crt`) and private key (`.pem` or `.key`) to the VM. Self-signed certificates
     are not supported for the OpenHands application.