User Story:
As a customer using Ansible Automation Platform in the cloud, I would like a self-service mechanism to inject a custom CA certificate chain into the managed controller instance,
So that I can manage trust settings without needing to open a support case (CEE case) for every update or change.

Requirements:

• Customers should be able to import a custom CA certificate chain through both the UI and a public API.

• The API must support programmatic workflows to enable automation and integration with certificate management systems.

• Invalid or malformed CA chains must not silently break the system. There should be validation with clear error messages and safe fallback behavior.

• Updates to the CA chain should not require backend intervention from Red Hat; the process must be fully self-service.

• Clarify the scope of CA usage:

• • Outbound TLS validation (e.g., connecting to external services like Git, Vault).

• • Optionally, support for inbound TLS (SSL termination for controller UI/API) if needed.

Justification:
Requiring a support ticket for CA updates increases operational toil and introduces unnecessary delays. Certificate rotation and trust updates are common operational tasks. Providing a self-service capability for managing CA chains aligns with the principles of a managed platform, reducing friction and dependency on support for routine configuration updates.