diff --git a/extensions/fleet/README.md b/extensions/fleet/README.md
index bd8efded7..0a4cc26c2 100644
--- a/extensions/fleet/README.md
+++ b/extensions/fleet/README.md
@@ -17,6 +17,25 @@ The Fleet Server exposes the TCP port `8220` for Agent to Server communications.
 
 ## Usage
 
+### CA Certificate Fingerprint
+
+Before starting Fleet Server, take note of the CA certificate's SHA256 fingerprint printed by the `docker compose up
+tls` command (it is safe to run it multiple times), and use it as the value of the commented `ca_trusted_fingerprint`
+setting inside the [`kibana/config/kibana.yml`][config-kbn] file.
+
+The fingerprint appears on a line similar to the one below, in the output of the aforementioned command:
+
+```none
+⠿ SHA256 fingerprint: 846637d1bb82209640d31b79869a370c8e47c2dc15c7eafd4f3d615e51e3d503
+```
+
+This fingerprint is required for Fleet Server (and other Elastic Agents) to be able to verify the authenticity of the CA
+certificate presented by Elasticsearch during TLS handshakes.
+
+Restart Kibana with `docker compose restart kibana` if it is already running.
+
+### Startup
+
 To include Fleet Server in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `fleet-compose.yml` file: