diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index 2b410a8..883f0f2 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -17,7 +17,7 @@ services:
       VAULT_CREATE_ROOT: true
       VAULT_ROOT_CA_MOUNT: pki
       VAULT_ROOT_CA_REF: root-ca
-      VAULT_SSL_CERT: cert/vault.pem
+      # VAULT_SSL_CERT: cert/vault.pem
       JWT_SIGNING_KEY: jwt_secret
       APP_REGISTRY_ADDR: http://app_registry:8800
       APP_REGISTRY_TOKEN: app_reg_token
diff --git a/README.md b/README.md
index 35d78b8..df5dcc9 100644
--- a/README.md
+++ b/README.md
@@ -70,3 +70,22 @@ environment variables with the same names (but
 UPPER_CASE). Environment vars will override any values in the config
 file.  Per-environment settings in the config file(development, test,
 production) will override the shared values for that type.
+
+## mTLS connections
+Astral can connect to Vault with client and server SSL certificates. Just
+set the following values in `config/astral.yml`:
+```
+  vault_ssl_cert:
+  vault_ssl_client_cert:
+  vault_ssl_client_key:
+```
+A self-signed server cert for Vault can be generated with the following 
+command:
+```
+rake configure:ssl
+```
+
+To use in the devcontainer, edit `.devcontainer/docker-compose.yml` so
+that the `app` service has `VAULT_ADDRESS` of `https://vault:8200` and
+the `VAULT_SSL_CERT` value us uncommented. The `vault` service needs
+`tls_disable` set to `0`.