diff --git a/datacenter/dtr/2.3/guides/admin/configure/external-storage/s3.md b/datacenter/dtr/2.3/guides/admin/configure/external-storage/s3.md
index 590ff78611..80aac37ce3 100644
--- a/datacenter/dtr/2.3/guides/admin/configure/external-storage/s3.md
+++ b/datacenter/dtr/2.3/guides/admin/configure/external-storage/s3.md
@@ -85,9 +85,25 @@ user.
 
 There are also some advanced settings.
 
-| Field          | Description                                                                                                                                               |
-|:---------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Version 4 auth | Authenticate the requests using AWS signature version 4. [Learn more](http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) |
-| Use HTTPS      | Secure all requests with HTTPS, or make requests in an insecure way                                                                                       |
+| Field                    | Description                                                                                                                                               |
+|:-------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Signature version 4 auth | Authenticate the requests using AWS signature version 4. [Learn more](http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) |
+| Use HTTPS                | Secure all requests with HTTPS, or make requests in an insecure way                                                                                       |
+| Skip TLS verification    | Encrypt all traffic, but don't verify the TLS certificate used by the storage backend                                                                     |
+| Root CA certificate      | The public key certificate of the root certificate authority that issued the storage backend certificate                                                  |
 
 Once you click **Save**, DTR validates the configurations and saves the changes.
+
+## Configure your clients
+
+If you're using a TLS certificate in your storage backend that's not globally
+trusted, you'll have to configure all Docker Engines that push or pull from DTR
+to trust that certificate. When you push or pull an image DTR redirects the
+requests to the storage backend, so if clients don't trust the TLS certificates
+of both DTR and the storage backend, they won't be able to push or pull images.
+[Learn how to configure the Docker client](../../../user/access-dtr/index.md).
+
+And if you've configured DTR to skip TLS verification, you also need to
+configure all Docker Engines that push or pull from DTR to skip TLS
+verification. You do this by adding DTR to
+the [list of insecure registries when starting Docker](https://docs.docker.com/engine/reference/commandline/dockerd/).