Address review comments pt. 2 (changes in 'Secure connections' docs)

Author: vishaangelova

reference/fleet/certificates-rotation.md

@@ -3,6 +3,7 @@ mapped_pages:
   - https://www.elastic.co/guide/en/fleet/current/certificates-rotation.html
 applies_to:
   stack: ga
+  serverless: unavailable
 products:
   - id: fleet
   - id: elastic-agent

reference/fleet/mutual-tls.md

@@ -3,6 +3,7 @@ mapped_pages:
   - https://www.elastic.co/guide/en/fleet/current/mutual-tls.html
 applies_to:
   stack: ga
+  serverless: ga
 products:
   - id: fleet
   - id: elastic-agent
@@ -54,6 +55,12 @@ When you run {{agent}} with the {{elastic-defend}} integration, the [TLS certifi
 
 ## On-premise deployments [mutual-tls-on-premise]
 
+```{applies_to}
+deployment:
+  self: ga
+  ece: ga
+```
+
 :::{image} images/mutual-tls-on-prem.png
 :alt: Diagram of mutual TLS on premise deployment model
 :::
@@ -132,6 +139,12 @@ ssl.key: /path/to/cert_key
 
 ## {{fleet-server}} on {{ecloud}} [mutual-tls-cloud]
 
+```{applies_to}
+serverless: ga
+deployment:
+  ess: ga
+```
+
 In this deployment model, all traffic ingress into {{ecloud}} has its TLS connection terminated at the {{ecloud}} boundary. Since this termination is not handled on a per-tenant basis, a client-specific certificate can NOT be used at this point.
 
 :::{image} images/mutual-tls-cloud.png
@@ -143,6 +156,12 @@ We currently don’t support mTLS in this deployment model. An alternate deploym
 
 ## {{fleet-server}} on {{ecloud}} using a proxy [mutual-tls-cloud-proxy]
 
+```{applies_to}
+deployment:
+  ess: ga
+serverless: ga
+```
+
 In this scenario, where you have access to the proxy, you can configure mTLS between the agent and your proxy.
 
 :::{image} images/mutual-tls-cloud-proxy.png
@@ -164,6 +183,11 @@ During {{agent}} installation on premise use the following options:
 
 ## {{fleet-server}} on-premise and {{ech}} [mutual-tls-on-premise-hosted-es]
 
+```{applies_to}
+deployment:
+  ess: ga
+```
+
 In some scenarios you may want to deploy {{fleet-server}} on your own premises. In this case, you’re able to provide your own certificates and certificate authority to enable mTLS between {{fleet-server}} and {{agent}}.
 
 However, as with the [{{fleet-server}} on {{ecloud}}](#mutual-tls-cloud) use case, the data plane TLS connections terminate at the {{ecloud}} boundary. {{ecloud}} is not a multi-tenanted service and therefore can’t provide per-user certificates.

reference/fleet/secure-connections.md

@@ -3,6 +3,7 @@ mapped_pages:
   - https://www.elastic.co/guide/en/fleet/current/secure-connections.html
 applies_to:
   stack: ga
+  serverless: unavailable
 products:
   - id: fleet
   - id: elastic-agent
@@ -85,7 +86,7 @@ This section describes how to use the `certutil` tool provided by {{es}}, but yo
     Store the files in a secure location. You’ll need these files later to encrypt traffic between {{agent}}s and {{fleet-server}}.
 
 
-## Configure SSL/TLS using CLI  [fleet-server-ssl-cli-settings]
+## Configure SSL/TLS using CLI [fleet-server-ssl-cli-settings]
 
 Use the CLI to configure SSL or TLS when installing or enrolling {{fleet-server}}. This method gives you granular control over certificate paths, verification modes, and authentication behavior.
 

reference/fleet/secure.md

@@ -4,6 +4,7 @@ mapped_pages:
   - https://www.elastic.co/guide/en/fleet/current/secure.html
 applies_to:
   stack: ga
+  serverless: ga
 products:
   - id: fleet
   - id: elastic-agent
@@ -14,7 +15,7 @@ products:
 
 Some connections may require you to generate certificates and configure SSL/TLS.
 
-* [Configure SSL/TLS for self-managed {{fleet-server}}s](/reference/fleet/secure-connections.md)
+* [Configure SSL/TLS for self-managed {{fleet-server}}s](/reference/fleet/secure-connections.md) {applies_to}`serverless: unavailable`
 * [{{agent}} deployment models with mutual TLS](/reference/fleet/mutual-tls.md)
 * [Configure SSL/TLS for the {{ls}} output](/reference/fleet/secure-logstash-connections.md)
 

reference/fleet/tls-overview.md

@@ -3,6 +3,7 @@ mapped_pages:
   - https://www.elastic.co/guide/en/fleet/current/tls-overview.html
 applies_to:
   stack: ga
+  serverless: ga
 products:
   - id: fleet
   - id: elastic-agent
@@ -21,6 +22,10 @@ You can also configure one-way and mutual TLS connections using {{kib}}. {applie
 
 ## Simple one-way TLS connection [one-way-tls-connection]
 
+```{applies_to}
+serverless: unavailable
+```
+
 The following `elastic-agent install` command configures a {{fleet-server}} with the required certificates and certificate authorities to enable one-way TLS connections between the components involved:
 
 ```shell
@@ -59,6 +64,10 @@ During the TLS connection setup, {{fleet-server}} presents its certificate `flee
 
 ## Mutual TLS connection [mutual-tls-connection]
 
+```{applies_to}
+serverless: unavailable
+```
+
 The following `elastic-agent install` command configures a {{fleet-server}} with the required certificates and certificate authorities to enable mutual TLS connections between the components involved:
 
 ```shell
@@ -103,14 +112,25 @@ You can also configure mutual TLS for {{fleet-server}} and {{agent}} [using a pr
 :::
 
 ## Configure TLS/mTLS settings in the Fleet UI [tls-ui-settings]
+
 ```{applies_to}
   stack: ga 9.1
 ```
 
-You can configure TLS and mutual TLS (mTLS) settings for {{fleet-server}} and outputs using the {{fleet}} UI.
+In self-managed and {{ech}} deployments, you can configure TLS and mutual TLS (mTLS) for {{fleet-server}} and outputs in the {{fleet}} UI. 
+
+:::{{note}}
+:applies_to: serverless: ga
+
+On {{serverless-short}}, the {{fleet-server}} settings are managed, but you can still configure TLS/mTLS for your outputs.
+:::
 
 ### Fleet Server SSL options
 
+```{applies_to}
+serverless: unavailable
+```
+
 To access these settings:
 
 1. In **Kibana**, go to **Management > {{fleet}} > Settings**.