diff --git a/content/docs/setup/kubernetes/multicluster-install/gateways/index.md b/content/docs/setup/kubernetes/multicluster-install/gateways/index.md
index 0da3dfb054..431078628a 100644
--- a/content/docs/setup/kubernetes/multicluster-install/gateways/index.md
+++ b/content/docs/setup/kubernetes/multicluster-install/gateways/index.md
@@ -44,8 +44,10 @@ on **each** Kubernetes cluster.
     across different clusters.
 
     {{< tip >}}
-    For illustration purposes, the following instructions use the root certificate from
-    the Istio samples directory as the intermediate certificates.
+    For illustration purposes, the following instructions use the certificates
+    from the Istio samples directory for both clusters. In real world deployments,
+    you would likely use a different CA certificate for each cluster, all signed
+    by a common root CA.
     {{< /tip >}}
 
 1. Generate a multicluster-gateways Istio configuration file using `helm`:
@@ -67,7 +69,7 @@ on **each** Kubernetes cluster.
 1. Run the following commands in **every cluster** to deploy an identical Istio control plane
    configuration in all of them.
 
-    * Create a Kubernetes secret for your generated CA certificates using a command similar to the following:
+    * Create a Kubernetes secret for your generated CA certificates using a command similar to the following. See [Certificate Authority (CA) certificates](/docs/tasks/security/plugin-ca-cert/#plugging-in-the-existing-certificate-and-key) for more details.
 
         {{< text bash >}}
         $ kubectl create namespace istio-system
diff --git a/content/docs/tasks/security/plugin-ca-cert/index.md b/content/docs/tasks/security/plugin-ca-cert/index.md
index 4233a39b10..1862dbd2e7 100644
--- a/content/docs/tasks/security/plugin-ca-cert/index.md
+++ b/content/docs/tasks/security/plugin-ca-cert/index.md
@@ -42,6 +42,11 @@ Note that if your `ca-cert.pem` is the same as `root-cert.pem`, the `cert-chain.
 
 These files are ready to use in the `samples/certs/` directory.
 
+  {{< tip >}}
+  The default Citadel installation sets [command line options](/docs/reference/commands/istio_ca/index.html) to configure the location of certificates and keys based on the predefined secret and file names used in the command below (i.e., secret named `cacert`, root certificate in a file named `root-cert.pem`, Citadel key in `ca-key.pem`, etc.)
+  You must use these specific secret and file names, or reconfigure Citadel when you deploy it.
+  {{< /tip >}}
+
 The following steps enable plugging in the certificates and key into Citadel:
 
 1.  Create a secret `cacert` including all the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`: