diff --git a/website/content/docs/k8s/operations/certificate-rotation.mdx b/website/content/docs/k8s/operations/certificate-rotation.mdx
new file mode 100644
index 0000000000..97067ac7f0
--- /dev/null
+++ b/website/content/docs/k8s/operations/certificate-rotation.mdx
@@ -0,0 +1,28 @@
+---
+layout: docs
+page_title: Certificate Rotation
+sidebar_title: Certificate Rotation
+description: Rotate Certificate on Kubernetes Cluster safely
+---
+
+# Rotating Server Certificates
+
+As of Consul Helm version `0.29.0`, if TLS is enabled, new TLS certificates for the Consul Server
+are issued every time the Helm chart is upgraded. These certificates are signed by the same CA and will
+continue to work as expected in the existing cluster.
+
+Consul servers read the certificates from Kubernetes secrets during start-up and keep them in memory. In order to ensure the
+servers use the newer certificate, the server pods need to be [restarted explicitly](/docs/k8s/operations/upgrade#upgrading-consul-servers) in
+a situation where `helm upgrade` does not restart the server pods.
+
+To explicitly perform server certificate rotation, follow these steps:
+
+1. Perform a `helm upgrade`:
+
+   ```shell-session
+   helm upgrade consul hashicorp/consul -f /path/to/my/values.yaml
+   ```
+
+   This should run the `tls-init` job that will generate new Server certificates.
+
+1. Restart the Server pods following the steps [here](/docs/k8s/operations/upgrade#upgrading-consul-servers).
diff --git a/website/data/docs-navigation.js b/website/data/docs-navigation.js
index aa62884b1e..d1ddc54fcb 100644
--- a/website/data/docs-navigation.js
+++ b/website/data/docs-navigation.js
@@ -193,7 +193,7 @@ export default [
       {
         category: 'operations',
         name: 'Operations',
-        content: ['uninstall', 'tls-on-existing-cluster'],
+        content: ['uninstall', 'certificate-rotation', 'tls-on-existing-cluster'],
       },
       {
         name: 'Troubleshoot',