diff --git a/docs/using-cf-mysql.md b/docs/using-cf-mysql.md
index 0be3d00..510a908 100644
--- a/docs/using-cf-mysql.md
+++ b/docs/using-cf-mysql.md
@@ -14,6 +14,27 @@ To connect to cf-mysql from an app which has not been deployed to Cloud Foundry,
 
 ### Encryption
 
+#### Applications Running on Cloud Foundry
+
+Most applications, save Java and Spring (see below), can be modified to discover the information necessary to connect to cf-mysql using TLS. When inspecting `VCAP_SERVICES` for username and password, if the additional property, `ca_certificate` is available, your application can connect to cf-mysql using TLS.
+
+Here's a Node.js example:
+
+```node
+ca_cert = vcap_services["p-mysql"][0]["credentials"]["ca_certificate"] ;
+dbClient = mysql.createConnection( {
+    host : host,
+    user : user,
+    password : password,
+    port : port,
+    database : database,
+    ssl : {
+        ca : ca_cert
+    },
+} ) ;
+```
+Some languages automatically check the operating system's [trust store](https://docs.cloudfoundry.org/devguide/deploy-apps/trusted-system-certificates.html). In those cases, it is not necessary to parse `VCAP_SERVICES` for the CA certificate.
+
 #### Java and Spring Applications
 
 To enable apps using the [Java buildpack](https://docs.cloudfoundry.org/buildpacks/java/), you'll need to delete the existing binding and create a new one. This will update the `jdbcUrl` to specify an encrypted connection.