splitting UI and agent traffic, having an LE cert for UI and using my self signed cert using ed448 (for CA) and ed25519 (for server) for the agent api.
All the doco I could find was using old kolide endpoints that don't exist anymore or have been renamed.
Also split the domains so for e.g.
ui.fleet.mydomain.com and
api.fleet.mydomain.com (didn't use this naming scheme tho) so the UI is accessed on a different domain than the agents use.
This also allows me to set up a honey pot that looks for anything trying to access the api on my UI domain, or anything trying to access the UI on my api domain :)