diff --git a/bin/init.sh b/bin/init.sh
index 3856a97a5c..6f3273b552 100755
--- a/bin/init.sh
+++ b/bin/init.sh
@@ -62,8 +62,9 @@ cp -a "${ISTIO_OUT}/release/istioctl-linux-amd64" /gobin/istioctl
 popd > /dev/null
 
 # Copy install/samples files over from Istio. These are needed by the tests.
-rm -rf "${ISTIOIO_GO}/samples" "${ISTIOIO_GO}/tests/integration" "${ISTIOIO_GO}/manifests"
+rm -rf "${ISTIOIO_GO}/samples" "${ISTIOIO_GO}/tools" "${ISTIOIO_GO}/tests/integration" "${ISTIOIO_GO}/manifests"
 cp -a "${ISTIO_GO}/samples" "${ISTIOIO_GO}/samples"
+cp -a "${ISTIO_GO}/tools" "${ISTIOIO_GO}/tools"
 mkdir "${ISTIOIO_GO}/tests/integration/"
 cp -a "${ISTIO_GO}/tests/integration/iop-integration-test-defaults.yaml" "${ISTIOIO_GO}/tests/integration/"
 cp -a "${ISTIO_GO}/manifests" "${ISTIOIO_GO}/manifests"
diff --git a/content/en/docs/tasks/security/cert-management/plugin-ca-cert/ca-hierarchy.svg b/content/en/docs/tasks/security/cert-management/plugin-ca-cert/ca-hierarchy.svg
new file mode 100644
index 0000000000..d4087e2952
--- /dev/null
+++ b/content/en/docs/tasks/security/cert-management/plugin-ca-cert/ca-hierarchy.svg
@@ -0,0 +1,398 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   sodipodi:docname="ca-hierarchy.svg"
+   inkscape:version="1.0 (4035a4f, 2020-05-01)"
+   id="svg8"
+   version="1.1"
+   viewBox="0 0 297 210"
+   height="210mm"
+   width="297mm">
+  <defs
+     id="defs2">
+    <linearGradient
+       id="linearGradient1863"
+       inkscape:collect="always">
+      <stop
+         id="stop1859"
+         offset="0"
+         style="stop-color:#030000;stop-opacity:1;" />
+      <stop
+         id="stop1861"
+         offset="1"
+         style="stop-color:#030000;stop-opacity:0;" />
+    </linearGradient>
+    <rect
+       id="rect1855"
+       height="14.967094"
+       width="226.11002"
+       y="35.279578"
+       x="58.264757" />
+    <rect
+       id="rect1849"
+       height="18.708867"
+       width="63.610148"
+       y="33.67596"
+       x="183.88143" />
+    <marker
+       inkscape:stockid="Arrow1Lend"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker1664"
+       style="overflow:visible;"
+       inkscape:isstock="true">
+      <path
+         id="path1662"
+         d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+         transform="scale(0.8) rotate(180) translate(12.5,0)" />
+    </marker>
+    <marker
+       inkscape:collect="always"
+       inkscape:isstock="true"
+       style="overflow:visible;"
+       id="Arrow1Lend"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="Arrow1Lend">
+      <path
+         transform="scale(0.8) rotate(180) translate(12.5,0)"
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+         d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+         id="path936" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker1211"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="Arrow1Lstart">
+      <path
+         transform="scale(0.8) translate(12.5,0)"
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+         d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+         id="path1209" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="Arrow1Lstart"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="Arrow1Lstart">
+      <path
+         transform="scale(0.8) translate(12.5,0)"
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+         d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+         id="path933" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lend-5"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path936-6"
+         d="M 0,0 5,-5 -12.5,0 5,5 Z"
+         style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
+         transform="matrix(-0.8,0,0,-0.8,-10,0)" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker1664-6"
+       refX="0"
+       refY="0"
+       orient="auto"
+       inkscape:stockid="Arrow1Lend">
+      <path
+         transform="matrix(-0.8,0,0,-0.8,-10,0)"
+         style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
+         d="M 0,0 5,-5 -12.5,0 5,5 Z"
+         id="path1662-8" />
+    </marker>
+    <linearGradient
+       gradientUnits="userSpaceOnUse"
+       y2="39.394534"
+       x2="126.30896"
+       y1="39.394534"
+       x1="58.611914"
+       id="linearGradient1865"
+       xlink:href="#linearGradient1863"
+       inkscape:collect="always" />
+    <rect
+       x="58.264755"
+       y="35.279579"
+       width="226.11002"
+       height="14.967094"
+       id="rect1855-0" />
+    <rect
+       x="58.264755"
+       y="35.279579"
+       width="226.11002"
+       height="14.967094"
+       id="rect1892" />
+  </defs>
+  <sodipodi:namedview
+     inkscape:window-maximized="0"
+     inkscape:window-y="23"
+     inkscape:window-x="0"
+     inkscape:window-height="927"
+     inkscape:window-width="1545"
+     inkscape:snap-global="true"
+     showgrid="false"
+     inkscape:document-rotation="0"
+     inkscape:current-layer="layer1"
+     inkscape:document-units="mm"
+     inkscape:cy="560"
+     inkscape:cx="670.84099"
+     inkscape:zoom="0.49497475"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     borderopacity="1.0"
+     bordercolor="#666666"
+     pagecolor="#ffffff"
+     id="base" />
+  <metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="boxes"
+     id="layer2"
+     inkscape:groupmode="layer" />
+  <g
+     id="layer1"
+     inkscape:groupmode="layer"
+     inkscape:label="Layer 1">
+    <rect
+       y="55.795135"
+       x="14.630894"
+       height="128.43927"
+       width="123.63313"
+       id="rect10"
+       style="opacity:0.94;fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#000003;stroke-width:0.944222;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <text
+       id="text837"
+       y="67.886467"
+       x="17.105249"
+       style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
+       xml:space="preserve"><tspan
+         style="stroke-width:0.264583"
+         y="67.886467"
+         x="17.105249"
+         id="tspan835"
+         sodipodi:role="line">Cluster 1</tspan></text>
+    <g
+       transform="translate(-2.6458334)"
+       id="g1247">
+      <rect
+         style="opacity:0.94;fill:#ffccaa;fill-opacity:1;stroke:#0f627a;stroke-width:0.977224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         id="rect868"
+         width="87.687172"
+         height="17.662563"
+         x="29.388262"
+         y="84.445778" />
+      <text
+         id="text837-5"
+         y="95.881035"
+         x="34.537598"
+         style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
+         xml:space="preserve"><tspan
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Arial;-inkscape-font-specification:Arial;stroke-width:0.264583"
+           y="95.881035"
+           x="34.537598"
+           id="tspan835-7"
+           sodipodi:role="line">Intermediate CA</tspan></text>
+    </g>
+    <rect
+       style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="rect872-7"
+       width="71.093697"
+       height="20.312483"
+       x="35.298088"
+       y="137.68369" />
+    <rect
+       y="145.72864"
+       x="43.305431"
+       height="20.312483"
+       width="71.093697"
+       id="rect872-7-6"
+       style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <g
+       transform="translate(20.176418,35.079059)"
+       id="g881">
+      <rect
+         style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         id="rect872"
+         width="71.093697"
+         height="20.312483"
+         x="31.003265"
+         y="118.13313" />
+      <text
+         xml:space="preserve"
+         style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
+         x="41.159508"
+         y="130.96207"
+         id="text876"><tspan
+           sodipodi:role="line"
+           id="tspan874"
+           x="41.159508"
+           y="130.96207"
+           style="stroke-width:0.264583">Workload</tspan></text>
+    </g>
+    <path
+       inkscape:connector-curvature="0"
+       inkscape:connector-type="polyline"
+       id="path1413"
+       d="m 70.244001,101.26983 0.267959,33.92308"
+       style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.870527;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend)" />
+    <rect
+       style="opacity:0.94;fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#000003;stroke-width:0.944221;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="rect10-0"
+       width="123.63313"
+       height="128.43927"
+       x="150.92998"
+       y="56.062397" />
+    <text
+       xml:space="preserve"
+       style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
+       x="222.19507"
+       y="68.153732"
+       id="text837-6"><tspan
+         sodipodi:role="line"
+         id="tspan835-3"
+         x="222.19507"
+         y="68.153732"
+         style="stroke-width:0.264583">Cluster 2</tspan></text>
+    <g
+       id="g1247-3"
+       transform="translate(133.65325,0.26725968)">
+      <rect
+         y="84.445778"
+         x="29.388262"
+         height="17.662563"
+         width="87.687172"
+         id="rect868-1"
+         style="opacity:0.94;fill:#ffccaa;fill-opacity:1;stroke:#0f627a;stroke-width:0.977224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+      <text
+         xml:space="preserve"
+         style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
+         x="34.537598"
+         y="95.881035"
+         id="text837-5-1"><tspan
+           sodipodi:role="line"
+           id="tspan835-7-5"
+           x="34.537598"
+           y="95.881035"
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Arial;-inkscape-font-specification:Arial;stroke-width:0.264583">Intermediate CA</tspan></text>
+    </g>
+    <rect
+       y="137.95096"
+       x="171.59717"
+       height="20.312483"
+       width="71.093697"
+       id="rect872-7-60"
+       style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <rect
+       style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="rect872-7-6-9"
+       width="71.093697"
+       height="20.312483"
+       x="179.60451"
+       y="145.99591" />
+    <g
+       id="g881-5"
+       transform="translate(156.4755,35.34632)">
+      <rect
+         y="118.13313"
+         x="31.003265"
+         height="20.312483"
+         width="71.093697"
+         id="rect872-6"
+         style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+      <text
+         id="text876-2"
+         y="130.96207"
+         x="41.159508"
+         style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
+         xml:space="preserve"><tspan
+           style="stroke-width:0.264583"
+           y="130.96207"
+           x="41.159508"
+           id="tspan874-7"
+           sodipodi:role="line">Workload</tspan></text>
+    </g>
+    <path
+       style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.870527;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend-5)"
+       d="m 206.54309,101.53709 0.26795,33.92308"
+       id="path1413-9"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0" />
+    <g
+       transform="translate(10.118636,-11.17697)"
+       id="g1658">
+      <rect
+         style="opacity:0.94;fill:#98e797;fill-opacity:1;stroke:#0f627a;stroke-width:0.81753;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         id="rect868-1-5"
+         width="57.378143"
+         height="18.891335"
+         x="104.67843"
+         y="21.557596" />
+      <text
+         id="text837-5-1-3"
+         y="34.141781"
+         x="112.5803"
+         style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
+         xml:space="preserve"><tspan
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Arial;-inkscape-font-specification:Arial;stroke-width:0.264583"
+           y="34.141781"
+           x="112.5803"
+           id="tspan835-7-5-3"
+           sodipodi:role="line">Root CA</tspan></text>
+    </g>
+    <path
+       inkscape:connector-curvature="0"
+       inkscape:connector-type="polyline"
+       id="path1660"
+       d="M 142.18739,28.865109 71.628232,83.38809"
+       style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker1664)" />
+    <path
+       style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker1664-6)"
+       d="m 142.18739,28.865109 64.67922,53.453905"
+       id="path1660-6"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0" />
+    <text
+       transform="translate(-6.4144687)"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:6.34999999999999964px;font-family:Arial;-inkscape-font-specification:Arial;white-space:pre;shape-inside:url(#rect1855);opacity:0.94;fill:#98e797;fill-opacity:1;stroke:url(#linearGradient1865);stroke-width:0.25;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;"
+       id="text1853"
+       xml:space="preserve"><tspan
+         x="58.265625"
+         y="40.999087"><tspan
+           style="font-size:6.35px;fill:none;stroke:#030000;stroke-width:0.25;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">Manually provision certs</tspan></tspan></text>
+  </g>
+</svg>
diff --git a/content/en/docs/tasks/security/cert-management/plugin-ca-cert/index.md b/content/en/docs/tasks/security/cert-management/plugin-ca-cert/index.md
index 4516932eee..41e5beb398 100644
--- a/content/en/docs/tasks/security/cert-management/plugin-ca-cert/index.md
+++ b/content/en/docs/tasks/security/cert-management/plugin-ca-cert/index.md
@@ -1,6 +1,6 @@
 ---
-title: Plugging in existing CA Certificates
-description: Shows how system administrators can configure Istio's CA with an existing root certificate, signing certificate and key.
+title: Plug in CA Certificates
+description: Shows how system administrators can configure Istio's CA with a root certificate, signing certificate and key.
 weight: 80
 keywords: [security,certificates]
 aliases:
@@ -9,47 +9,98 @@ owner: istio/wg-security-maintainers
 test: yes
 ---
 
-This task shows how administrators can configure the Istio certificate authority with an existing root certificate, signing certificate and key.
+This task shows how administrators can configure the Istio certificate authority (CA) with a root certificate,
+signing certificate and key.
 
 By default, Istio's CA generates a self-signed root certificate and key, and uses them to sign the workload certificates.
 Istio's CA can also sign workload certificates using an administrator-specified certificate and key, and with an
-administrator-specified root certificate. This task demonstrates how to plug such certificates and key into Istio's CA.
+administrator-specified root certificate.
 
-## Plugging in existing certificates and key
+A root CA is used by all workloads within a mesh as the root of trust. Each Istio CA uses an intermediate CA
+signing key and certificate, signed by the root CA. When multiple Istio CAs exist within a mesh, this establishes a
+hierarchy of trust among the CAs.
 
-Suppose we want to have Istio's CA use an existing signing (CA) certificate `ca-cert.pem` and key `ca-key.pem`.
-Furthermore, the certificate `ca-cert.pem` is signed by the root certificate `root-cert.pem`.
-We would like to use `root-cert.pem` as the root certificate for Istio workloads.
+{{< image width="80%"
+    link="ca-hierarchy.svg"
+    caption="CA Hierarchy"
+    >}}
 
-In the following example,
-Istio CA's signing (CA) certificate (`ca-cert.pem`) is different from the root certificate (`root-cert.pem`),
-so the workload cannot validate the workload certificates directly from the root certificate.
-The workload needs a `cert-chain.pem` file to specify the chain of trust,
-which should include the certificates of all the intermediate CAs between the workloads and the root CA.
-In our example, it contains Istio CA's signing certificate, so `cert-chain.pem` is the same as `ca-cert.pem`.
-Note that if your `ca-cert.pem` is the same as `root-cert.pem`, the `cert-chain.pem` file should be empty.
+This task demonstrates how to generate and plug in the certificates and key for Istio's CA. These steps can be repeated
+to provision certificates and keys for any number of Istio CAs.
 
-These files are ready to use in the `samples/certs/` directory.
+## Plug in certificates and key into the cluster
 
 {{< tip >}}
-The default Istio CA installation configures the location of certificates and keys based on the
-predefined secret and file names used in the command below (i.e., secret named `cacerts`, root certificate
-in a file named `root-cert.pem`, Istio CA's key in `ca-key.pem`, etc.).
-You must use these specific secret and file names, or reconfigure Istio's CA when you deploy Istio.
+For production cluster setup, it is a good practice to do the following on an offline machine with good
+security protection. The root private key should be exposed to as few people and processes as possible.
 {{< /tip >}}
 
-The following steps plug in the certificates and key into a Kubernetes secret,
-which will be read by Istio's CA:
+1.  Create a directory for holding certificates and keys:
+
+    {{< text bash >}}
+    $ mkdir -p certs
+    $ pushd certs
+    {{< /text >}}
+
+1.  Generate the root certificate and key:
+
+    {{< text bash >}}
+    $ make -f ../tools/certs/Makefile.selfsigned.mk root-ca
+    {{< /text >}}
+
+    This will generate the following files:
+
+    * `root-cert.pem`: the generated root certificate
+    * `root-key.pem`: the generated root key
+    * `root-ca.conf`: the configuration for `openssl` to generate the root certificate
+    * `root-cert.csr`: the generated CSR for the root certificate
+
+1.  Generate an intermediate certificate and key:
+
+    {{< text bash >}}
+    $ make -f ../tools/certs/Makefile.selfsigned.mk cluster1-cacerts
+    {{< /text >}}
+
+    This will generate the following files in a directory named `cluster1`:
+
+    * `ca-cert.pem`: the generated intermediate certificates
+    * `ca-key.pem`: the generated intermediate key
+    * `cert-chain.pem`: the generated certificate chain which is used by istiod
+    * `root-cert.pem`: the root certificate
+    * `intermediate.conf`: the configuration for `openssl` to generate the intermediate certificate
+    * `cluster-ca.csr`: the generated CSR for the intermediate certificate
+
+    {{< tip >}}
+    You can replace `cluster1` with a string of your choosing. For example, `make mycluster-certs` will
+    result in the creation of a directory called `mycluster`.
+    {{< /tip >}}
+
+    {{< tip >}}
+    To configure additional Istio CAs, you can repeat this step with different cluster/directory names.
+    {{< /tip >}}
+
+    If you are doing this on an offline machine, copy the generated directory to a machine with access to the
+    clusters.
 
 1.  Create a secret `cacerts` including all the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`:
 
     {{< text bash >}}
     $ kubectl create namespace istio-system
-    $ kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem \
-        --from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem \
-        --from-file=samples/certs/cert-chain.pem
+    $ kubectl create secret generic cacerts -n istio-system \
+          --from-file=cluster1/ca-cert.pem \
+          --from-file=cluster1/ca-key.pem \
+          --from-file=cluster1/root-cert.pem \
+          --from-file=cluster1/cert-chain.pem
     {{< /text >}}
 
+1.  Return to the top-level directory of the Istio installation:
+
+    {{< text bash >}}
+    $ popd
+    {{< /text >}}
+
+## Deploy Istio
+
 1.  Deploy Istio using the `demo` profile.
 
     Istio's CA will read certificates and key from the secret-mount files.
@@ -106,7 +157,7 @@ openssl command is expected.
 1.  Verify the root certificate is the same as the one specified by the administrator:
 
     {{< text bash >}}
-    $ openssl x509 -in samples/certs/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
+    $ openssl x509 -in certs/cluster1/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
     $ openssl x509 -in ./proxy-cert-3.pem -text -noout > /tmp/pod-root-cert.crt.txt
     $ diff -s /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
     Files /tmp/root-cert.crt.txt and /tmp/pod-root-cert.crt.txt are identical
@@ -115,7 +166,7 @@ openssl command is expected.
 1.  Verify the CA certificate is the same as the one specified by the administrator:
 
     {{< text bash >}}
-    $ openssl x509 -in samples/certs/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
+    $ openssl x509 -in certs/cluster1/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
     $ openssl x509 -in ./proxy-cert-2.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt
     $ diff -s /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
     Files /tmp/ca-cert.crt.txt and /tmp/pod-cert-chain-ca.crt.txt are identical
@@ -124,13 +175,19 @@ openssl command is expected.
 1.  Verify the certificate chain from the root certificate to the workload certificate:
 
     {{< text bash >}}
-    $ openssl verify -CAfile <(cat samples/certs/ca-cert.pem samples/certs/root-cert.pem) ./proxy-cert-1.pem
+    $ openssl verify -CAfile <(cat certs/cluster1/ca-cert.pem certs/cluster1/root-cert.pem) ./proxy-cert-1.pem
     ./proxy-cert-1.pem: OK
     {{< /text >}}
 
 ## Cleanup
 
-*   To remove the secret `cacerts`, and the `foo` and `istio-system` namespaces:
+*   Remove the certificates, keys, and intermediate files from your local disk:
+
+    {{< text bash >}}
+    $ rm -rf certs
+    {{< /text >}}
+
+*   Remove the secret `cacerts`, and the `foo` and `istio-system` namespaces:
 
     {{< text bash >}}
     $ kubectl delete secret cacerts -n istio-system
diff --git a/content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh b/content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh
index 57c34ea903..466b6a5647 100644
--- a/content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh
+++ b/content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh
@@ -20,14 +20,33 @@
 #          docs/tasks/security/cert-management/plugin-ca-cert/index.md
 ####################################################################################################
 
-snip_plugging_in_existing_certificates_and_key_1() {
-kubectl create namespace istio-system
-kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem \
-    --from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem \
-    --from-file=samples/certs/cert-chain.pem
+snip_plug_in_certificates_and_key_into_the_cluster_1() {
+mkdir -p certs
+pushd certs
 }
 
-snip_plugging_in_existing_certificates_and_key_2() {
+snip_plug_in_certificates_and_key_into_the_cluster_2() {
+make -f ../tools/certs/Makefile.selfsigned.mk root-ca
+}
+
+snip_plug_in_certificates_and_key_into_the_cluster_3() {
+make -f ../tools/certs/Makefile.selfsigned.mk cluster1-cacerts
+}
+
+snip_plug_in_certificates_and_key_into_the_cluster_4() {
+kubectl create namespace istio-system
+kubectl create secret generic cacerts -n istio-system \
+      --from-file=cluster1/ca-cert.pem \
+      --from-file=cluster1/ca-key.pem \
+      --from-file=cluster1/root-cert.pem \
+      --from-file=cluster1/cert-chain.pem
+}
+
+snip_plug_in_certificates_and_key_into_the_cluster_5() {
+popd
+}
+
+snip_deploy_istio_1() {
 istioctl install --set profile=demo
 }
 
@@ -59,7 +78,7 @@ awk 'BEGIN {counter=0;} /BEGIN CERT/{counter++} { print > "proxy-cert-" counter
 }
 
 snip_verifying_the_certificates_3() {
-openssl x509 -in samples/certs/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
+openssl x509 -in certs/cluster1/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
 openssl x509 -in ./proxy-cert-3.pem -text -noout > /tmp/pod-root-cert.crt.txt
 diff -s /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
 }
@@ -69,7 +88,7 @@ Files /tmp/root-cert.crt.txt and /tmp/pod-root-cert.crt.txt are identical
 ENDSNIP
 
 snip_verifying_the_certificates_4() {
-openssl x509 -in samples/certs/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
+openssl x509 -in certs/cluster1/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
 openssl x509 -in ./proxy-cert-2.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt
 diff -s /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
 }
@@ -79,7 +98,7 @@ Files /tmp/ca-cert.crt.txt and /tmp/pod-cert-chain-ca.crt.txt are identical
 ENDSNIP
 
 snip_verifying_the_certificates_5() {
-openssl verify -CAfile <(cat samples/certs/ca-cert.pem samples/certs/root-cert.pem) ./proxy-cert-1.pem
+openssl verify -CAfile <(cat certs/cluster1/ca-cert.pem certs/cluster1/root-cert.pem) ./proxy-cert-1.pem
 }
 
 ! read -r -d '' snip_verifying_the_certificates_5_out <<\ENDSNIP
@@ -87,6 +106,10 @@ openssl verify -CAfile <(cat samples/certs/ca-cert.pem samples/certs/root-cert.p
 ENDSNIP
 
 snip_cleanup_1() {
+rm -rf certs
+}
+
+snip_cleanup_2() {
 kubectl delete secret cacerts -n istio-system
 kubectl delete ns foo istio-system
 }
diff --git a/content/en/docs/tasks/security/cert-management/plugin-ca-cert/test.sh b/content/en/docs/tasks/security/cert-management/plugin-ca-cert/test.sh
index 66c5d0705b..71d4261cd2 100644
--- a/content/en/docs/tasks/security/cert-management/plugin-ca-cert/test.sh
+++ b/content/en/docs/tasks/security/cert-management/plugin-ca-cert/test.sh
@@ -21,8 +21,13 @@ set -o pipefail
 
 # @setup profile=none
 
-snip_plugging_in_existing_certificates_and_key_1
-echo y | snip_plugging_in_existing_certificates_and_key_2
+snip_plug_in_certificates_and_key_into_the_cluster_1
+snip_plug_in_certificates_and_key_into_the_cluster_2
+snip_plug_in_certificates_and_key_into_the_cluster_3
+snip_plug_in_certificates_and_key_into_the_cluster_4
+snip_plug_in_certificates_and_key_into_the_cluster_5
+
+echo y | snip_deploy_istio_1
 _wait_for_deployment istio-system istiod
 
 # create_ns_foo_with_httpbin_sleep
@@ -55,3 +60,4 @@ _verify_same snip_verifying_the_certificates_5 "$snip_verifying_the_certificates
 # @cleanup
 set +e # ignore cleanup errors
 snip_cleanup_1
+snip_cleanup_2