diff --git a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
index 5020063a7..468988c46 100644
--- a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
+++ b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
@@ -31,7 +31,7 @@ kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' |
   base64 -D > consul-agent-ca.pem
 ```
 
-and the certificate authority signing key:
+2. The certificate authority signing key:
 
 ```sh
 kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' |
@@ -47,7 +47,7 @@ You can use the `consul tls` commands to generate those certificates:
 ```sh
 # NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current
 # directory.
-$ consul tls cert create -server -dc=vm-dc
+$ consul tls cert create -server -dc=vm-dc -node <node_name>
 ==> WARNING: Server Certificates grants authority to become a
     server and access all state in the cluster including root keys
     and all ACL tokens. Do not distribute them to production hosts
@@ -57,6 +57,8 @@ $ consul tls cert create -server -dc=vm-dc
 ==> Saved vm-dc-server-consul-0-key.pem
 ```
 
+-> Note the `node` option in the above command. This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, use `-node "*"` instead. 
+
 See the help for output of `consul tls cert create -h` to see more options
 for generating server certificates.