[codex] Clarify private CA requirements for self-hosted Wave

platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/ssl_tls.md

@@ -20,6 +20,10 @@ Use [Amazon Certificate Manager](https://aws.amazon.com/certificate-manager/) (A
 
 If you secure related infrastructure (such as private Git repositories) with certificates issued by a private Certificate Authority, these certificates must be loaded into the Seqera Enterprise containers. You can achieve this in several ways.
 
+:::note
+If your deployment uses self-hosted Wave, install the same private CA root certificate in every service that must initiate TLS connections to those endpoints. At minimum, this includes the `backend`, `cron`, and self-hosted Wave containers. If you terminate TLS with an NGINX reverse proxy, make the required certificate material available to that proxy container as part of the same setup.
+:::
+
 **Configure private certificate trust**
 
 1. This guide assumes you're using the original containers supplied by Seqera.
@@ -34,7 +38,7 @@ If you secure related infrastructure (such as private Git repositories) with cer
 keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443  >  /PRIVATE_CERT.pem
 ```
 
-2. Modify the `backend` and `cron` container configuration blocks in `docker-compose.yml`:
+2. Modify the `backend`, `cron`, and any self-hosted Wave service container configuration blocks in `docker-compose.yml`:
 
 ```yaml
 CONTAINER_NAME:
@@ -68,7 +72,7 @@ keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem
 kubectl create configmap private-cert-pemstore --from-file=/PRIVATE_CERT.pem
 ```
 
-3. Modify both the `backend` and `cron` Deployment objects:
+3. Modify the `backend`, `cron`, and any self-hosted Wave Deployment objects:
 
 - Define a new volume based on the certificate `ConfigMap`:
 
@@ -114,7 +118,7 @@ kubectl create configmap private-cert-pemstore --from-file=/PRIVATE_CERT.pem
 
 **Download on Pod start**
 
-1. Modify both the `backend` and `cron` Deployment objects to retrieve and load the certificate prior to running your Seqera instance:
+1. Modify the `backend`, `cron`, and any self-hosted Wave Deployment objects to retrieve and load the certificate prior to running your Seqera instance:
 
 ```yaml
 spec:

platform-enterprise_versioned_docs/version-25.3/enterprise/configuration/wave.md

@@ -64,16 +64,19 @@ Wave features are available on the compute environment creation page after integ
 
 ## Limitations
 
-- Wave does not support container repositories with private CA SSL certificates
+- The Seqera-hosted Wave service does not support container repositories with private CA SSL certificates.
 
 ## Self-hosted Wave deployment
 
 For enterprises requiring full control over container builds, caching, and security scanning, Wave can be deployed in your own infrastructure.
 
 Self-hosted Wave supports:
+
 - **Wave Lite**: Container augmentation and inspection capabilities (AWS, Azure, GCP)
 - **Full Wave**: Complete build capabilities including Conda-based containers and security scanning (requires AWS EKS with EFS storage)
 
+If your self-hosted deployment uses a private Certificate Authority, import the same private CA root certificate into the Platform `backend`, `cron`, and Wave containers. See [SSL/TLS](./ssl_tls#configure-seqera-to-trust-your-private-certificate) for guidance.
+
 See the [Wave documentation](https://docs.seqera.io/wave) for installation and configuration guidance.
 
 ## Additional resources