diff --git a/doc/source/security/kubernetes/security-rest-api-access.rst b/doc/source/security/kubernetes/security-rest-api-access.rst
index 0ed1ade8c..afb43bad6 100644
--- a/doc/source/security/kubernetes/security-rest-api-access.rst
+++ b/doc/source/security/kubernetes/security-rest-api-access.rst
@@ -44,3 +44,13 @@ the following site:
 `https://kubernetes.io/docs/concepts/overview/kubernetes-api/
 <https://kubernetes.io/docs/concepts/overview/kubernetes-api/>`__.
 
+.. note::
+
+    The |prod| REST API/GUI and web server certificate is used by the proxy to
+    access the |prod| REST APIs and Kubernetes API server. The REST API client
+    needs to trust the issuer of this certificate, which is system-local-ca's
+    |RCA| certificate. To retrieve this certificate, use the following command:
+
+    .. code-block:: none
+
+        ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode