diff --git a/_docs/reference/commands/istio_ca.md b/_docs/reference/commands/istio_ca.md
new file mode 100644
index 0000000000..7f4af3e2bd
--- /dev/null
+++ b/_docs/reference/commands/istio_ca.md
@@ -0,0 +1,72 @@
+---
+title: istio_ca
+overview: Istio Certificate Authority (CA)
+layout: docs
+order: 301
+type: markdown
+---
+
+
+## istio_ca
+
+Istio Certificate Authority (CA)
+
+### Synopsis
+
+
+Istio Certificate Authority (CA)
+
+```
+istio_ca [flags]
+```
+
+### Options
+
+```
+ --alsologtostderr log to standard error as well as files
+ --ca-cert-ttl duration The TTL of self-signed CA root certificate (default 8760h0m0s)
+ --cert-chain string Speicifies path to the certificate chain file
+ --cert-ttl duration The TTL of issued certificates (default 1h0m0s)
+ --grpc-hostname string Specifies the hostname for GRPC server. (default "localhost")
+ --grpc-port int Specifies the port number for GRPC server. If unspecified, Istio CA will not server GRPC request.
+ --kube-config string Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod.
+ --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
+ --log_dir string If non-empty, write log files in this directory
+ --logtostderr log to standard error instead of files
+ --namespace string Select a namespace for the CA to listen to. If unspecified, Istio CA tries to use the ${NAMESPACE} environment variable. If neither is set, Istio CA listens to all namespaces.
+ --root-cert string Specifies path to the root certificate file
+ --self-signed-ca Indicates whether to use auto-generated self-signed CA certificate. When set to true, the '--signing-cert' and '--signing-key' options are ignored.
+ --self-signed-ca-org string The issuer organization used in self-signed CA certificate (default to k8s.cluster.local) (default "k8s.cluster.local")
+ --signing-cert string Specifies path to the CA signing certificate file
+ --signing-key string Specifies path to the CA signing key file
+ --stderrthreshold severity logs at or above this threshold go to stderr (default 2)
+ -v, --v Level log level for V logs
+ --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
+```
+
+
+## istio_ca version
+
+Display version information
+
+### Synopsis
+
+
+Display version information
+
+```
+istio_ca version
+```
+
+### Options inherited from parent commands
+
+```
+ --alsologtostderr log to standard error as well as files
+ --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
+ --log_dir string If non-empty, write log files in this directory
+ --logtostderr log to standard error instead of files
+ --stderrthreshold severity logs at or above this threshold go to stderr (default 2)
+ -v, --v Level log level for V logs
+ --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
+```
+
diff --git a/scripts/generate-cli-docs.sh b/scripts/generate-cli-docs.sh
index 67fae5b2d2..3ba52ffe29 100755
--- a/scripts/generate-cli-docs.sh
+++ b/scripts/generate-cli-docs.sh
@@ -6,6 +6,10 @@ set -o pipefail
# TODO(REVIEWER): how do we want to handle finding the two binaries? set a default and try, or abort?
ISTIOCTL=${ISTIOCTL:-istioctl}
+if [[ -z "${ISTIO_CA_CLI}" ]]; then
+ echo "No istio_ca command defined via the environment variable ISTIO_CA_CLI"
+ exit 1
+fi
if [[ -z "${MIXCOL_CLI}" ]]; then
echo "No mixcol command defined via the environment variable MIXCOL_CLI"
exit 1
@@ -98,6 +102,7 @@ function processPerBinaryFiles() {
# Generate our output
${MIXCOL_CLI} -o ${WORKING_DIR}
${ISTIOCTL} markdown --dir ${WORKING_DIR}
+${ISTIO_CA_CLI} markdown --dir ${WORKING_DIR}
# Clean up the target directory
mkdir -p ${OUTPUT_DIR}
@@ -107,5 +112,6 @@ generateIndex > ${OUTPUT_DIR}/index.md
processPerBinaryFiles "istioctl" 1 > ${OUTPUT_DIR}/istioctl.md
processPerBinaryFiles "mixc" 101 > ${OUTPUT_DIR}/mixc.md
processPerBinaryFiles "mixs" 201 > ${OUTPUT_DIR}/mixs.md
+processPerBinaryFiles "istio_ca" 301 > ${OUTPUT_DIR}/istio_ca.md
rm -rfd ${WORKING_DIR}