diff --git a/docs/reference/setup/install/security-files-reference.asciidoc b/docs/reference/setup/install/security-files-reference.asciidoc
index 5a5c06b8de889..a1d0bb2ac2ff6 100644
--- a/docs/reference/setup/install/security-files-reference.asciidoc
+++ b/docs/reference/setup/install/security-files-reference.asciidoc
@@ -16,3 +16,21 @@ Keystore that contains the key and certificate for the HTTP layer for this node.
 `transport.p12`::
 Keystore that contains the key and certificate for the transport layer for all
 the nodes in your cluster.
+
+`http.p12` and `transport.p12` are password-protected PKCS#12 keystores. {es}
+stores the passwords for these keystores as  <<secure-settings,secure
+settings>>. To retrieve the passwords so that you can inspect or change the
+keystore contents, use the
+<<elasticsearch-keystore,`bin/elasticsearch-keystore`>> tool.
+
+Use the following command to retrieve the password for `http.p12`:
+[source,sh]
+-------------------------
+bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
+-------------------------
+
+Use the following command to retrieve the password for `transport.p12`:
+[source,sh]
+-------------------------
+bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
+-------------------------