diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 58fff44ccb..0bb2c9e736 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -418,15 +418,18 @@ type Server_TLSOptions struct {
 	// client side certificate.
 	CaCertificates string `protobuf:"bytes,5,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
 	// The credentialName stands for a unique identifier that can be used
-	// to identify the serverCertificate, the privateKey and the
-	// CaCertificates associated with this server. Gateway workloads
-	// capable of fetching credentials from a remote credential store will
-	// be configured to retrive the credentials using this name, instead of
-	// using the file system paths specified above. The semantics of the
-	// name are platform dependent. In Kubernetes, the default Istio
-	// supplied credentail server expects the credentialName to match the
-	// name of the Kubernetes secret that holds the server certificate, the
-	// private key, and the CA certificate (if using mutual TLS).
+	// to identify the serverCertificate and the privateKey. The credentialName
+	// appended with suffix "-cacert" is used to identify the CaCertificates
+	// associated with this server. Gateway workloads capable of fetching
+	// credentials from a remote credential store will be configured to retrieve
+	// the serverCertificate and the privateKey using credentialName, instead of
+	// using the file system paths specified above. If using mutual TLS,
+	// gateway workloads will retrieve the CaCertificates using
+	// credentialName-cacert. The semantics of the name are platform dependent.
+	// In Kubernetes, the default Istio supplied credential server expects the
+	// credentialName to match the name of the Kubernetes secret that holds the
+	// server certificate, the private key, and the CA certificate
+	// (if using mutual TLS).
 	CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
 	// A list of alternate names to verify the subject identity in the
 	// certificate presented by the client.
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index 4e00c4eadc..bc567376bd 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -305,15 +305,18 @@ message Server {
     string ca_certificates = 5;
 
     // The credentialName stands for a unique identifier that can be used
-    // to identify the serverCertificate, the privateKey and the
-    // CaCertificates associated with this server. Gateway workloads
-    // capable of fetching credentials from a remote credential store will
-    // be configured to retrive the credentials using this name, instead of
-    // using the file system paths specified above. The semantics of the
-    // name are platform dependent. In Kubernetes, the default Istio
-    // supplied credentail server expects the credentialName to match the
-    // name of the Kubernetes secret that holds the server certificate, the
-    // private key, and the CA certificate (if using mutual TLS).
+    // to identify the serverCertificate and the privateKey. The credentialName
+    // appended with suffix "-cacert" is used to identify the CaCertificates
+    // associated with this server. Gateway workloads capable of fetching
+    // credentials from a remote credential store will be configured to retrieve
+    // the serverCertificate and the privateKey using credentialName, instead of
+    // using the file system paths specified above. If using mutual TLS,
+    // gateway workloads will retrieve the CaCertificates using
+    // credentialName-cacert. The semantics of the name are platform dependent.
+    // In Kubernetes, the default Istio supplied credential server expects the
+    // credentialName to match the name of the Kubernetes secret that holds the
+    // server certificate, the private key, and the CA certificate
+    // (if using mutual TLS).
     string credential_name = 10;
 
     // A list of alternate names to verify the subject identity in the
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index 5f32305833..8fb3574c83 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -2961,15 +2961,18 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 <td><code>string</code></td>
 <td>
 <p>The credentialName stands for a unique identifier that can be used
-to identify the serverCertificate, the privateKey and the
-CaCertificates associated with this server. Gateway workloads
-capable of fetching credentials from a remote credential store will
-be configured to retrive the credentials using this name, instead of
-using the file system paths specified above. The semantics of the
-name are platform dependent. In Kubernetes, the default Istio
-supplied credentail server expects the credentialName to match the
-name of the Kubernetes secret that holds the server certificate, the
-private key, and the CA certificate (if using mutual TLS).</p>
+to identify the serverCertificate and the privateKey. The credentialName
+appended with suffix &ldquo;-cacert&rdquo; is used to identify the CaCertificates
+associated with this server. Gateway workloads capable of fetching
+credentials from a remote credential store will be configured to retrieve
+the serverCertificate and the privateKey using credentialName, instead of
+using the file system paths specified above. If using mutual TLS,
+gateway workloads will retrieve the CaCertificates using
+credentialName-cacert. The semantics of the name are platform dependent.
+In Kubernetes, the default Istio supplied credential server expects the
+credentialName to match the name of the Kubernetes secret that holds the
+server certificate, the private key, and the CA certificate
+(if using mutual TLS).</p>
 
 </td>
 </tr>