diff --git a/docs/service-mesh/ca/README.md b/docs/service-mesh/ca/README.md
index 7a12921772..a9c7aaa4db 100644
--- a/docs/service-mesh/ca/README.md
+++ b/docs/service-mesh/ca/README.md
@@ -7,8 +7,14 @@ services and client agents (via auto-encrypt and auto-config).
### High level overview
-- we can start with the mind map
-- high level explaination of what are the features that are involved in CA (mesh/connect, auto encrypt)
+In Consul the leader is responsible for handling of the CA management.
+When a leader election happen, and the elected leader do not have any root CA available it will start a process of creating a set of CA certificate.
+Those certificates will use to authenticate/encrypt communication between services (service mesh) or between `Consul client agent` (auto-encrypt/auto-config). This process is described in the following diagram:
+
+
+[source](./hl-ca-overview.mmd)
+
+- high level explanation of what are the features that are involved in CA (mesh/connect, auto encrypt)
- add all the func that are involved in the CA operations
- relationship between the different certs
diff --git a/docs/service-mesh/ca/hl-ca-overview.mmd b/docs/service-mesh/ca/hl-ca-overview.mmd
new file mode 100644
index 0000000000..952f64b98f
--- /dev/null
+++ b/docs/service-mesh/ca/hl-ca-overview.mmd
@@ -0,0 +1,43 @@
+graph TD
+ subgraph "Primary DC"
+ leaderP["Leader"]
+ rootCAI["Root CA "]
+ rootCA["Root CA "]
+ Provider["Consul/AWS providers"]
+ IntermediateProvider["Vault provider"]
+ intermediateCAP["Intermediate CA "]
+ leafP["Leaf certificates"]
+ end
+
+ subgraph "Secondary DC"
+ leaderS["Leader"]
+ intermediateCAS["Intermediate CA"]
+ leafS["Leaf certificates"]
+ ProviderS["Consul/AWS/Vault providers"]
+ end
+
+ consulCAS["Consul client Agents"]
+ servicesS["Mesh services"]
+
+ consulCAP["Consul client Agents"]
+ servicesP["Mesh services"]
+
+ leaderP -->|use|Provider
+ leaderP-->|use|IntermediateProvider
+ Provider--> |fetch/self sign|rootCA
+ IntermediateProvider --> |fetch/self sign|rootCAI
+ rootCAI -->|sign| intermediateCAP
+ intermediateCAP -->|sign| leafP
+ rootCA -->|sign| leafP
+
+ leaderS -->|use| ProviderS
+ ProviderS --> |generate csr| intermediateCAS
+ rootCA -->|sign| intermediateCAS
+ rootCAI -->|sign| intermediateCAS
+ intermediateCAS --> |sign| leafS
+
+ leafS -->|auth/encrypt| servicesS
+ leafS -->|auth/encrypt| consulCAS
+ leafP -->|auth/encrypt| servicesP
+ leafP -->|auth/encrypt| consulCAP
+
diff --git a/docs/service-mesh/ca/hl-ca-overview.svg b/docs/service-mesh/ca/hl-ca-overview.svg
new file mode 100644
index 0000000000..76a6166245
--- /dev/null
+++ b/docs/service-mesh/ca/hl-ca-overview.svg
@@ -0,0 +1 @@
+
\ No newline at end of file