diff --git a/docs/operator.md b/docs/operator.md
index 7ae18814..ab3e5f17 100644
--- a/docs/operator.md
+++ b/docs/operator.md
@@ -64,14 +64,6 @@ The [policy used to update images :octicons-link-external-16:](https://kubernet
| ----------- | ---------- |
| :material-code-string: string | `Always` |
-### `tls.certValidityDuration`
-
-The validity duration of the external certificate for cert manager (90 days by default). This value is used only at cluster creation time and can’t be changed for existing clusters.
-
-| Value type | Example |
-| ----------- | ---------- |
-| :material-code-string: string | `2160h` |
-
### `imagePullSecrets.name`
The [Kubernetes ImagePullSecret :octicons-link-external-16:](https://kubernetes.io/docs/concepts/configuration/secret/#using-imagepullsecrets) to access the [custom registry](custom-registry.md#custom-registry).
@@ -160,6 +152,46 @@ The cluster domain to be used as a suffix for [multi-cluster Services](replicati
| ----------- | ---------- |
| :material-code-string: string | `svc.clusterset.local` |
+### TLS (extended cert-manager configuration section)
+
+The `tls` section in the [deploy/cr.yaml :octicons-link-external-16:](https://github.com/percona/percona-server-mongodb-operator/blob/main/deploy/cr.yaml) file contains various configuration options for additional customization of the [Transport Layer Security](TLS.md).
+
+### `tls.certValidityDuration`
+
+The validity duration of the external certificate for cert manager (90 days by default). This value is used only at cluster creation time and can’t be changed for existing clusters.
+
+| Value type | Example |
+| ----------- | ---------- |
+| :material-code-string: string | `2160h` |
+
+### `tls.allowInvalidCertificates`
+
+If enabled, `--tlsAllowInvalidCertificates` MongoDB Shell option will be set to true, [bypassing checks for the certificates presented by the mongod/mongos instance :octicons-link-external-16:](https://www.mongodb.com/docs/mongodb-shell/reference/options/#std-option-mongosh.--tlsAllowInvalidCertificates) (`true` by default to allow self-signed certificates generated by the Operator).
+
+| Value type | Example |
+| ----------- | ---------- |
+| :material-toggle-switch-outline: boolean | `true` |
+
+### 'tls.issuerConf.name'
+
+A [cert-manager issuer name :octicons-link-external-16:](https://cert-manager.io/docs/concepts/issuer/).
+
+| Value type | Example |
+| ----------- | ---------- |
+| :material-code-string: string | `special-selfsigned-issuer` |
+
+### 'tls.issuerConf.kind'
+
+A [cert-manager issuer type :octicons-link-external-16:](https://cert-manager.io/docs/configuration/).
+
+### 'tls.issuerConf.group'
+
+A [cert-manager issuer group :octicons-link-external-16:](https://cert-manager.io/docs/configuration/). Should be `cert-manager.io` for built-in cert-manager certificate issuers.
+
+| Value type | Example |
+| ----------- | ---------- |
+| :material-code-string: string | `cert-manager.io` |
+
## Upgrade Options Section
The `upgradeOptions` section in the [deploy/cr.yaml :octicons-link-external-16:](https://github.com/percona/percona-server-mongodb-operator/blob/main/deploy/cr.yaml) file contains various configuration options to control Percona Server for MongoDB upgrades.