diff --git a/content/influxdb/clustered/install/configure-cluster.md b/content/influxdb/clustered/install/configure-cluster.md
index 5b8d0bbcd..b3dcf52d1 100644
--- a/content/influxdb/clustered/install/configure-cluster.md
+++ b/content/influxdb/clustered/install/configure-cluster.md
@@ -821,4 +821,57 @@ spec:
 
 {{% /code-placeholders %}}
 
+### Provide a custom certificate authority bundle {metadata="Optional"}
+
+InfluxDB attempts to make TLS connections to the services it depends on; notably
+the [Catalog](/influxdb/clustered/reference/internals/storage-engine/#catalog),
+and the [Object store](/influxdb/clustered/reference/internals/storage-engine/#object-store).
+InfluxDB validates the certificates for all of the connections it makes.
+
+**If you host these services yourself and you use a private or otherwise not
+well-known certificate authority to issue certificates to theses services**, 
+InfluxDB will not recognize the issuer and will be unable to validate the certificates.
+To allow InfluxDB to validate these certificates, provide a PEM certificate
+bundle containing your custom certificate authority chain.
+
+1.  Use `kubectl` to create a config map containing your PEM bundle.
+    Your certificate authority administrator should provide you with a
+    PEM-formatted certificate bundle file.
+    
+    {{% note %}}
+This PEM-formatted bundle file is *not* the certificate that InfluxDB uses to
+host its own TLS endpoints. This bundle establishes a chain of trust for the
+external services that InfluxDB depends on.
+    {{% /note %}}
+
+    In the example below, `private_ca.pem` is the certificate bundle file.
+
+    ```sh
+    kubectl --namespace influxdb create configmap custom-ca --from-file=certs.pem=/path/to/private_ca.pem
+    ```
+
+    {{% note %}}
+It's possible to append multiple certificates into the same bundle.
+This can help if you need to include intermediate certificates or explicitly
+include leaf certificates. Leaf certificates should be included before any
+intermediate certificates they depend on. The root certificate should
+be last in the bundle.
+    {{% /note %}}
+
+2.  Update your `AppInstance` resource in your `myinfluxdb.yml` to refer to your
+    certificate authority config map. Update the `.spec.package.spec.egress`
+    property to refer to that config map. For example:
+
+    ```yml
+    spec:
+      package:
+        spec:
+          egress:
+            customCertificates:
+              valueFrom:
+                configMapKeyRef:
+                  key: ca.pem
+                  name: custom-ca
+    ```
+
 {{< page-nav prev="/influxdb/clustered/install/auth/" prevText="Set up authentication" next="/influxdb/clustered/install/deploy/" nextText="Deploy your cluster" >}}