diff --git a/docs/cspell.json b/docs/cspell.json
index 95b834f41bf89..fbd1157b2602c 100644
--- a/docs/cspell.json
+++ b/docs/cspell.json
@@ -2,8 +2,6 @@
"version": "0.2",
"language": "en",
"words": [
- "hostnames",
- "attobj",
"AADUSER",
"ABCDEFGHIJKL",
"ADFS",
@@ -75,6 +73,7 @@
"Goland",
"Grafana's",
"Gtczk",
+ "HKEY",
"HSTS",
"Hqlo",
"IAMR",
@@ -160,6 +159,7 @@
"SECURITYADMIN",
"SIEM",
"SIGINT",
+ "SIGQUIT",
"SLAVEOF",
"SLOWLOG",
"SSUBSCRIBE",
@@ -234,6 +234,7 @@
"appuser",
"armv",
"atburke",
+ "attobj",
"attrname",
"auditctl",
"auditctl",
@@ -415,10 +416,12 @@
"healthz",
"highavailability",
"highavailabilitycertmanager",
+ "highavailabilitycertmanageraddcommonname",
"hostcert",
"hostdb",
"hostedzone",
"hostip",
+ "hostnames",
"hostssl",
"hsm-ppzzfxbleki",
"httpout",
@@ -602,6 +605,7 @@
"preconfigured",
"prereqs",
"prioritise",
+ "privateca",
"privkey",
"priya",
"programatically",
@@ -685,6 +689,7 @@
"splunkforwarder",
"sqlcl",
"sqlcmd",
+ "sqlcmd",
"sqlnet",
"sqlserver",
"sshcacerts",
@@ -696,13 +701,12 @@
"storageenabled",
"strslice",
"structs",
- "subkind",
"subgroups",
+ "subkind",
+ "subkind",
"sudoer",
"syscalls",
"sysvinit",
- "SIGQUIT",
- "sqlcmd",
"tadmin",
"tbot",
"tbotrole",
@@ -726,6 +730,7 @@
"timechart",
"tlscacerts",
"tlscert",
+ "tlsexistingcasecretname",
"tmpfs",
"tocless",
"tokenconfig",
diff --git a/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx
index 6b9acbc6137dc..83102ec1f68f4 100644
--- a/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx
+++ b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx
@@ -55,9 +55,13 @@ these options:
#### Using `cert-manager`
You can use `cert-manager` to provision and automatically renew TLS credentials
-by completing ACME challenges via Let's Encrypt. We recommend this approach if
-you require CLI access to web applications using client certificates via
-the Teleport Application Service.
+by completing ACME challenges via Let's Encrypt.
+
+You can also use `cert-manager` with AWS Private Certificate Authority (PCA) in EKS using the
+`aws-privateca-issuer` plugin.
+
+This method uses a Kubernetes `LoadBalancer`, which will provision an underlying AWS Network Load
+Balancer (NLB) to handle incoming traffic.
#### Using AWS Certificate Manager
@@ -300,6 +304,15 @@ highAvailability:
podSecurityPolicy:
enabled: false
```
+
+If using an AWS PCA with cert-manager, you will need to
+[ensure you set](../../reference/helm-reference/teleport-cluster.mdx#highavailabilitycertmanageraddcommonname)
+`highAvailability.certManager.addCommonName: true` in your values file. You will also need to get the certificate authority
+certificate for the CA (`aws acm-pca get-certificate-authority-certificate --certificate-authority-arn `),
+upload the full certificate chain to a secret, and
+[reference the secret](../../reference/helm-reference/teleport-cluster.mdx#tlsexistingcasecretname)
+with `tls.existingCASecretName` in the values file.
+
```yaml
@@ -354,6 +367,15 @@ enterprise: true # Indicate that this is a Tele
podSecurityPolicy:
enabled: false
```
+
+If using an AWS PCA with cert-manager, you will need to
+[ensure you set](../../reference/helm-reference/teleport-cluster.mdx#highavailabilitycertmanageraddcommonname)
+`highAvailability.certManager.addCommonName: true` in your values file. You will also need to get the certificate authority
+certificate for the CA (`aws acm-pca get-certificate-authority-certificate --certificate-authority-arn `),
+upload the full certificate chain to a secret, and
+[reference the secret](../../reference/helm-reference/teleport-cluster.mdx#tlsexistingcasecretname)
+with `tls.existingCASecretName` in the values file.
+
```yaml