diff --git a/docs/spec/v1beta2/helmrepositories.md b/docs/spec/v1beta2/helmrepositories.md
index 34ddfe468..506bb02b9 100644
--- a/docs/spec/v1beta2/helmrepositories.md
+++ b/docs/spec/v1beta2/helmrepositories.md
@@ -452,15 +452,32 @@ flux create secret oci ghcr-auth \
   --password=${GITHUB_PAT}
 ```
 
-#### TLS authentication
+### Cert secret reference
 
 **Note:** TLS authentication is not yet supported by OCI Helm repositories.
 
-To provide TLS credentials to use while connecting with the Helm repository,
-the referenced Secret is expected to contain `.data.certFile` and
-`.data.keyFile`, and/or `.data.caFile` values.
+`.spec.certSecretRef.name` is an optional field to sepcify a secret containing TLS
+certificate data. The secret can contain the following keys:
 
-For example:
+* `certFile` and `keyFile`: The client certificate and private key used for TLS client
+authentication. These must be used in conjunction, i.e. specifying one without the other
+will lead to an error.
+* `caFile`: The CA certificate used to verify the server, which is required if
+the server is using a self-signed certificate.
+
+If the server is using a self-signed certificate AND has TLS client authentication enabled
+all three values are required.
+
+All the files in the secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key, client
+certificate and the CA certificate respectively, you can generate the required secret using
+the `flux creat secret helm` command:
+
+```bash
+flux create secret helm tls --key-file=client.key --cert-file=client.crt --ca-file=ca.crt
+```
+
+Example usage:
 
 ```yaml
 ---
@@ -472,7 +489,7 @@ metadata:
 spec:
   interval: 5m0s
   url: https://example.com
-  secretRef:
+  certSecretRef:
     name: example-tls
 ---
 apiVersion: v1