diff --git a/multicluster/cmd/link.go b/multicluster/cmd/link.go
index f433ac9b7..8426449ef 100644
--- a/multicluster/cmd/link.go
+++ b/multicluster/cmd/link.go
@@ -31,6 +31,8 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
+const clusterNameLabel = "multicluster.linkerd.io/cluster-name"
+
 type (
 	linkOptions struct {
 		namespace               string
@@ -178,6 +180,25 @@ A full list of configurable values can be found at https://github.com/linkerd/li
 				return err
 			}
 
+			destinationCreds := corev1.Secret{
+				Type:     k8s.MirrorSecretType,
+				TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      fmt.Sprintf("cluster-credentials-%s", opts.clusterName),
+					Namespace: controlPlaneNamespace,
+					Labels: map[string]string{
+						clusterNameLabel: opts.clusterName,
+					},
+				},
+				Data: map[string][]byte{
+					k8s.ConfigKeyName: kubeconfig,
+				},
+			}
+			destinationCredsOut, err := yaml.Marshal(destinationCreds)
+			if err != nil {
+				return err
+			}
+
 			gateway, err := k.CoreV1().Services(opts.gatewayNamespace).Get(cmd.Context(), opts.gatewayName, metav1.GetOptions{})
 			if err != nil {
 				return err
@@ -280,6 +301,8 @@ A full list of configurable values can be found at https://github.com/linkerd/li
 
 			stdout.Write(credsOut)
 			stdout.Write([]byte("---\n"))
+			stdout.Write(destinationCredsOut)
+			stdout.Write([]byte("---\n"))
 			stdout.Write(linkOut)
 			stdout.Write([]byte("---\n"))
 			stdout.Write(serviceMirrorOut)
diff --git a/multicluster/cmd/unlink.go b/multicluster/cmd/unlink.go
index e46af19b8..ddf0029f9 100644
--- a/multicluster/cmd/unlink.go
+++ b/multicluster/cmd/unlink.go
@@ -89,6 +89,17 @@ func newUnlinkCommand() *cobra.Command {
 				)
 			}
 
+			selector = fmt.Sprintf("%s=%s", clusterNameLabel, opts.clusterName)
+			destinationCredentials, err := k.CoreV1().Secrets(controlPlaneNamespace).List(cmd.Context(), metav1.ListOptions{LabelSelector: selector})
+			if err != nil {
+				return err
+			}
+			for _, secret := range destinationCredentials.Items {
+				resources = append(resources,
+					resource.NewNamespaced(corev1.SchemeGroupVersion.String(), "Secret", secret.Name, secret.Namespace),
+				)
+			}
+
 			for _, r := range resources {
 				if err := r.RenderResource(stdout); err != nil {
 					log.Errorf("failed to render resource %s: %s", r.Name, err)