diff --git a/docs/spec/v1/buckets.md b/docs/spec/v1/buckets.md
index eadd4cca..b00c9bf9 100644
--- a/docs/spec/v1/buckets.md
+++ b/docs/spec/v1/buckets.md
@@ -843,10 +843,13 @@ See [Provider](#provider) for more (provider specific) examples.
 
 See [Provider](#provider) for more (provider specific) examples.
 
-### Cert secret reference
+### Mutual TLS Authentication
 
 `.spec.certSecretRef.name` is an optional field to specify a secret containing
-TLS certificate data. The secret can contain the following keys:
+TLS certificate data for mutual TLS authentication.
+
+To authenticate towards a bucket using mutual TLS,
+the referenced Secret's `.data` should contain the following keys:
 
 * `tls.crt` and `tls.key`, to specify the client certificate and private key used
 for TLS client authentication. These must be used in conjunction, i.e.
@@ -854,9 +857,6 @@ specifying one without the other will lead to an error.
 * `ca.crt`, to specify the CA certificate used to verify the server, which is
 required if the server is using a self-signed certificate.
 
-If the server is using a self-signed certificate and has TLS client
-authentication enabled, all three values are required.
-
 The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
 the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
 three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
diff --git a/docs/spec/v1/helmrepositories.md b/docs/spec/v1/helmrepositories.md
index 94d6c5af..f129cee8 100644
--- a/docs/spec/v1/helmrepositories.md
+++ b/docs/spec/v1/helmrepositories.md
@@ -439,10 +439,13 @@ deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
 If the controller uses the secret specified by this field to configure TLS, then
 a deprecation warning will be logged.
 
-### Cert secret reference
+### Mutual TLS Authentication
 
 `.spec.certSecretRef.name` is an optional field to specify a secret containing
-TLS certificate data. The secret can contain the following keys:
+TLS certificate data for mutual TLS authentication.
+
+To authenticate towards a Helm repository using mutual TLS,
+the referenced Secret's `.data` should contain the following keys:
 
 * `tls.crt` and `tls.key`, to specify the client certificate and private key used
 for TLS client authentication. These must be used in conjunction, i.e.
@@ -450,9 +453,6 @@ specifying one without the other will lead to an error.
 * `ca.crt`, to specify the CA certificate used to verify the server, which is
 required if the server is using a self-signed certificate.
 
-If the server is using a self-signed certificate and has TLS client
-authentication enabled, all three values are required.
-
 The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
 the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
 three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
diff --git a/docs/spec/v1/ocirepositories.md b/docs/spec/v1/ocirepositories.md
index 5b67c54b..d2bfa399 100644
--- a/docs/spec/v1/ocirepositories.md
+++ b/docs/spec/v1/ocirepositories.md
@@ -287,10 +287,13 @@ provide a `secretRef` nor `serviceAccountName`.
 For a complete guide on how to set up authentication for cloud providers,
 see the integration [docs](/flux/integrations/).
 
-### Cert secret reference
+### Mutual TLS Authentication
 
 `.spec.certSecretRef.name` is an optional field to specify a secret containing
-TLS certificate data. The secret can contain the following keys:
+TLS certificate data for mutual TLS authentication.
+
+To authenticate towards an OCI repository using mutual TLS,
+the referenced Secret's `.data` should contain the following keys:
 
 * `tls.crt` and `tls.key`, to specify the client certificate and private key used
 for TLS client authentication. These must be used in conjunction, i.e.
@@ -298,9 +301,6 @@ specifying one without the other will lead to an error.
 * `ca.crt`, to specify the CA certificate used to verify the server, which is
 required if the server is using a self-signed certificate.
 
-If the server is using a self-signed certificate and has TLS client
-authentication enabled, all three values are required.
-
 The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
 the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
 three files; `client.key`, `client.crt` and `ca.crt` for the client private key,