diff --git a/doc/source/security/kubernetes/configure-kubernetes-client-access.rst b/doc/source/security/kubernetes/configure-kubernetes-client-access.rst
index 3a6f70917..ff2722336 100644
--- a/doc/source/security/kubernetes/configure-kubernetes-client-access.rst
+++ b/doc/source/security/kubernetes/configure-kubernetes-client-access.rst
@@ -44,6 +44,12 @@ the active controller either through SSH or by using the system console.
         The **oidc-auth** script has the following optional parameters that may
         need to be specified:
 
+        ``--cacert <path to ca cert file>``: The path provides |CA| certificate
+        that validates the server certificate specified by the ``-c`` option.
+        By default, the command reads the value of ``OS_CACERT`` environment
+        variable. If none is specified, the command accesses the server without
+        verifying its certificate.
+
         ``-c <OIDC_app_IP>``: This is the IP where the OIDC app is running. When
         not provided, it defaults to "oamcontroller", that is an alias to the
         controller floating |OAM| IP. There are two instances where this