diff --git a/_data/tasks.yml b/_data/tasks.yml
index 8e15884c450e5..b880465dbbdb7 100644
--- a/_data/tasks.yml
+++ b/_data/tasks.yml
@@ -110,6 +110,7 @@ toc:
 - title: TLS
   section:
   - docs/tasks/tls/managing-tls-in-a-cluster.md
+  - docs/tasks/tls/certificate-rotation.md
 
 - title: Administer a Cluster
   section:
@@ -128,7 +129,6 @@ toc:
   - docs/tasks/administer-cluster/access-cluster-services.md
   - docs/tasks/administer-cluster/securing-a-cluster.md
   - docs/tasks/administer-cluster/encrypt-data.md
-  - docs/tasks/administer-cluster/certificate-rotation.md
   - docs/tasks/administer-cluster/configure-upgrade-etcd.md
   - docs/tasks/administer-cluster/static-pod.md
   - docs/tasks/administer-cluster/cluster-management.md
diff --git a/docs/tasks/administer-cluster/securing-a-cluster.md b/docs/tasks/administer-cluster/securing-a-cluster.md
index 31e30c666909a..b967a01138089 100644
--- a/docs/tasks/administer-cluster/securing-a-cluster.md
+++ b/docs/tasks/administer-cluster/securing-a-cluster.md
@@ -195,17 +195,6 @@ parties that gain access to your etcd backups from viewing the content of those
 this feature is currently experimental, it may offer an additional level of defense when backups
 are not encrypted or an attacker gains read access to etcd.
 
-### Kubelet Certificate Rotation
-
-The kubelet uses certificates for authenticating to the Kubernetes API.
-Normally, these certificates are issued with a long expiry date, such that
-normally they do not need to be renewed.
-
-Kubernetes 1.8 contains [kubelet certificate
-rotation](/docs/tasks/administer-cluster/certificate-rotation/), a beta feature
-that will automatically generate a new key and request a new certificate from
-the Kubernetes API to use for authenticating connections.
-
 ### Receiving alerts for security updates and reporting vulnerabilities
 
 Join the [kubernetes-announce](https://groups.google.com/forum/#!forum/kubernetes-announce) 
diff --git a/docs/tasks/administer-cluster/certificate-rotation.md b/docs/tasks/tls/certificate-rotation.md
similarity index 84%
rename from docs/tasks/administer-cluster/certificate-rotation.md
rename to docs/tasks/tls/certificate-rotation.md
index 7875b97a31e2b..f0fe98942dcde 100644
--- a/docs/tasks/administer-cluster/certificate-rotation.md
+++ b/docs/tasks/tls/certificate-rotation.md
@@ -1,6 +1,7 @@
 ---
 approvers:
-- smarterclayton
+- jcbsmpsn
+- mikedanese
 title: Certificate rotation
 ---
 
@@ -20,6 +21,17 @@ This page shows how to enable and configure certificate rotation for the kubelet
 
 {% capture steps %}
 
+## Overview
+
+The kubelet uses certificates for authenticating to the Kubernetes API.
+Normally, these certificates are issued with a long expiry date, such that
+normally they do not need to be renewed.
+
+Kubernetes 1.8 contains [kubelet certificate
+rotation](/docs/tasks/administer-cluster/certificate-rotation/), a beta feature
+that will automatically generate a new key and request a new certificate from
+the Kubernetes API to use for authenticating connections.
+
 ## Configuration and determining whether certificate rotation is already enabled
 
 The `kubelet` process accepts an argument `--rotate-certificates` that controls