diff --git a/authentication/certificate-types-descriptions.adoc b/authentication/certificate-types-descriptions.adoc
index 7f4c9ba85a..19fbe65990 100644
--- a/authentication/certificate-types-descriptions.adoc
+++ b/authentication/certificate-types-descriptions.adoc
@@ -63,6 +63,42 @@ to serve as a placeholder until you configure a custom default certificate. Do
 not use Operator-generated default certificates in production clusters.
 ====
 
+[discrete]
+== Workflow
+
+.Custom certificate workflow
+
+image::custom_4.5.png[custom ingress certificate workflow]
+
+
+.Default certificate workflow
+
+image::default_4.5.png[default ingress certificate workflow]
+
+image:darkcircle-0.png[20,20] An empty `defaultCertificate` field causes the Ingress Operator to use its self-signed CA to generate a serving certificate for the specified domain.
+
+image:darkcircle-1.png[20,20] The default CA certificate and key generated by the Ingress Operator. Used to sign Operator-generated default serving certificates.
+
+image:darkcircle-2.png[20,20] In the default workflow, the wildcard default serving certificate, created by the Ingress Operator and signed using the generated default CA certificate. In the custom workflow, this is the user-provided certificate.
+
+image:darkcircle-3.png[20,20] The router deployment. Uses the certificate in `secrets/router-certs-default` as its default front-end server certificate.
+
+image:darkcircle-4.png[20,20] In the default workflow, the contents of the wildcard default serving certificate (public and private parts) are copied here to enable OAuth integration. In the custom workflow, this is the user-provided certificate.
+
+image:darkcircle-5.png[20,20] The public (certificate) part of the default serving certificate. Replaces the `configmaps/router-ca` resource.
+
+image:darkcircle-6.png[20,20] The user updates the cluster proxy configuration with the CA certificate that signed the `ingresscontroller` serving certificate. This enables components like `auth`, `console`, and the registry to trust the serving certificate.
+
+image:darkcircle-7.png[20,20] The cluster-wide trusted CA bundle containing the combined {op-system-first} and user-provided CA bundles or an {op-system}-only bundle if a user bundle is not provided.
+
+image:darkcircle-8.png[20,20] The custom CA certificate bundle, which instructs other components (for example, `auth` and `console`) to trust an `ingresscontroller` configured with a custom certificate.
+
+image:darkcircle-9.png[20,20] The `trustedCA` field is used to reference the user-provided CA bundle.
+
+image:darkcircle-10.png[20,20] The Cluster Network Operator injects the trusted CA bundle into the `proxy-ca` ConfigMap.
+
+image:darkcircle-11.png[20,20] {product-title} {product-version} and newer use `default-ingress-cert`.
+
 [discrete]
 == Expiration
 
diff --git a/images/custom_4.5.png b/images/custom_4.5.png
new file mode 100644
index 0000000000..7a8d1607d2
Binary files /dev/null and b/images/custom_4.5.png differ
diff --git a/images/darkcircle-11.png b/images/darkcircle-11.png
new file mode 100644
index 0000000000..9bdcfea71d
Binary files /dev/null and b/images/darkcircle-11.png differ
diff --git a/images/darkcircle-12.png b/images/darkcircle-12.png
new file mode 100644
index 0000000000..303bcd41f5
Binary files /dev/null and b/images/darkcircle-12.png differ
diff --git a/images/default_4.5.png b/images/default_4.5.png
new file mode 100644
index 0000000000..9aa577d339
Binary files /dev/null and b/images/default_4.5.png differ