diff --git a/docs/cspell.json b/docs/cspell.json
index 2ddaa56e1657d..9f6451175d5ed 100644
--- a/docs/cspell.json
+++ b/docs/cspell.json
@@ -73,6 +73,7 @@
     "Goland",
     "Grafana's",
     "Gtczk",
+    "highavailabilitycertmanageraddcommonname",
     "HKEY",
     "HSTS",
     "Hqlo",
@@ -145,6 +146,7 @@
     "Pbbd",
     "Pluggable",
     "Println",
+    "privateca",
     "Quickstart",
     "Quicktime's",
     "REDISCLI",
@@ -184,6 +186,7 @@
     "Tatham",
     "Tele",
     "Templating",
+    "tlsexistingcasecretname",
     "Tmkx",
     "Toboth",
     "Traefik",
diff --git a/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx
index e35031fed3946..2070db4e944ef 100644
--- a/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx
+++ b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx
@@ -82,6 +82,9 @@ these options:
 You can use `cert-manager` to provision and automatically renew TLS credentials
 by completing ACME challenges via Let's Encrypt.
 
+You can also use `cert-manager` with AWS Private Certificate Authority (PCA) in EKS using the
+`aws-privateca-issuer` plugin.
+
 This method uses a Kubernetes `LoadBalancer`, which will provision an underlying AWS Network Load
 Balancer (NLB) to handle incoming traffic.
 
@@ -330,6 +333,15 @@ highAvailability:
 podSecurityPolicy:
   enabled: false
 ```
+<Admonition type="note">
+If using an AWS PCA with cert-manager, you will need to 
+[ensure you set](../../reference/helm-reference/teleport-cluster.mdx#highavailabilitycertmanageraddcommonname)
+`highAvailability.certManager.addCommonName: true` in your values file.  You will also need to get the certificate authority
+certificate for the CA (`aws acm-pca get-certificate-authority-certificate --certificate-authority-arn <arn>`), 
+upload the full certificate chain to a secret, and 
+[reference the secret](../../reference/helm-reference/teleport-cluster.mdx#tlsexistingcasecretname)
+with `tls.existingCASecretName` in the values file.
+</Admonition>
 </TabItem>
 <TabItem label="AWS Certificate Manager">
 ```yaml
@@ -411,6 +423,15 @@ enterprise: true                                  # Indicate that this is a Tele
 podSecurityPolicy:
   enabled: false
 ```
+<Admonition type="note">
+If using an AWS PCA with cert-manager, you will need to 
+[ensure you set](../../reference/helm-reference/teleport-cluster.mdx#highavailabilitycertmanageraddcommonname)
+`highAvailability.certManager.addCommonName: true` in your values file.  You will also need to get the certificate authority
+certificate for the CA (`aws acm-pca get-certificate-authority-certificate --certificate-authority-arn <arn>`), 
+upload the full certificate chain to a secret, and 
+[reference the secret](../../reference/helm-reference/teleport-cluster.mdx#tlsexistingcasecretname)
+with `tls.existingCASecretName` in the values file.
+</Admonition>
 </TabItem>
 <TabItem label="AWS Certificate Manager">
 ```yaml