diff --git a/CLAUDE.md b/CLAUDE.md
index b54a3f1..3a03253 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -38,7 +38,7 @@ Agent-server protocol is defined in `cameleer3/cameleer3-common/PROTOCOL.md`. Th
 
 **portal/** — Tenant admin portal (org-scoped)
 - `TenantPortalService.java` — customer-facing: dashboard (health from server), license, SSO connectors, team, settings, server restart
-- `TenantPortalController.java` — REST at `/api/tenant/*` (org-scoped)
+- `TenantPortalController.java` — REST at `/api/tenant/*` (org-scoped, includes CA cert management at `/api/tenant/ca`)
 
 **provisioning/** — Pluggable tenant provisioning
 - `TenantProvisioner.java` — pluggable interface (like server's RuntimeOrchestrator)
@@ -54,6 +54,9 @@ Agent-server protocol is defined in `cameleer3/cameleer3-common/PROTOCOL.md`. Th
 - `CertificateController.java` — REST at `/api/vendor/certificates` (platform:admin required)
 - `CertificateEntity.java` — JPA entity (status: ACTIVE/STAGED/ARCHIVED, subject, fingerprint, etc.)
 - `CertificateStartupListener.java` — seeds DB from filesystem on boot (for bootstrap-generated certs)
+- `TenantCaCertEntity.java` — JPA entity for per-tenant CA certs (PEM stored in DB, multiple per tenant)
+- `TenantCaCertRepository.java` — queries by tenant, status, all active across tenants
+- `TenantCaCertService.java` — stage/activate/delete tenant CAs, rebuilds aggregated `ca.pem` on changes
 
 **license/** — License management
 - `LicenseEntity.java` — JPA entity (id, tenant_id, tier, features JSONB, limits JSONB, expires_at)
@@ -280,6 +283,7 @@ PostgreSQL (Flyway): `src/main/resources/db/migration/`
 - V010 — cleanup of migrated tables
 - V011 — add provisioning fields (server_endpoint, provision_error)
 - V012 — certificates table + tenants.ca_applied_at
+- V013 — tenant_ca_certs (per-tenant CA certificates with PEM storage)
 
 ## Related Conventions
 
diff --git a/HOWTO.md b/HOWTO.md
index 6d8d7a4..4b63546 100644
--- a/HOWTO.md
+++ b/HOWTO.md
@@ -341,6 +341,10 @@ Query params: `since`, `until` (ISO timestamps), `limit` (default 500), `stream`
 | GET | `/api/tenant/settings` | Tenant settings |
 | GET | `/api/tenant/sso` | List SSO connectors |
 | POST | `/api/tenant/sso` | Create SSO connector |
+| GET | `/api/tenant/ca` | List tenant CA certificates |
+| POST | `/api/tenant/ca` | Upload CA cert (staged) |
+| POST | `/api/tenant/ca/{id}/activate` | Activate staged CA cert |
+| DELETE | `/api/tenant/ca/{id}` | Remove CA cert |
 | GET | `/api/tenant/audit` | Tenant audit log |
 
 ### Health