PAWS Data Pipeline deployment

We are moving toward our for-real deployment and I have two questions (for now):

1 - We’re going to create an alias in the PAWS domain pointing to app in the CfP prod cluster - what CNAME do we point to?

2 - If the recommendation is still to use k8s Sealed Secrets, where do we find the public cert?