diff --git a/api/v1alpha1/dragonfly_types.go b/api/v1alpha1/dragonfly_types.go
index 9a35e1c..edd25c2 100644
--- a/api/v1alpha1/dragonfly_types.go
+++ b/api/v1alpha1/dragonfly_types.go
@@ -108,10 +108,9 @@ type Authentication struct {
 	PasswordFromSecret *corev1.SecretKeySelector `json:"passwordFromSecret,omitempty"`
 
 	// (Optional) If specified, the Dragonfly instance will check if the
-	// client certificate is signed by one of this CA. Server TLS must be enabled for this.
-	// Multiple CAs can be specified with various key names.
+	// client certificate is signed by this CA. Server TLS must be enabled for this.
 	// +optional
-	ClientCaCertSecret *corev1.SecretReference `json:"clientCaCertSecret,omitempty"`
+	ClientCaCertSecret *corev1.SecretKeySelector `json:"clientCaCertSecret,omitempty"`
 }
 
 // DragonflyStatus defines the observed state of Dragonfly
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index d144a90..ea188a6 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -36,8 +36,8 @@ func (in *Authentication) DeepCopyInto(out *Authentication) {
 	}
 	if in.ClientCaCertSecret != nil {
 		in, out := &in.ClientCaCertSecret, &out.ClientCaCertSecret
-		*out = new(v1.SecretReference)
-		**out = **in
+		*out = new(v1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
 	}
 }
 
diff --git a/config/crd/bases/dragonflydb.io_dragonflies.yaml b/config/crd/bases/dragonflydb.io_dragonflies.yaml
index cb4937f..3cd60ac 100644
--- a/config/crd/bases/dragonflydb.io_dragonflies.yaml
+++ b/config/crd/bases/dragonflydb.io_dragonflies.yaml
@@ -879,18 +879,23 @@ spec:
                 properties:
                   clientCaCertSecret:
                     description: (Optional) If specified, the Dragonfly instance will
-                      check if the client certificate is signed by one of this CA.
-                      Server TLS must be enabled for this. Multiple CAs can be specified
-                      with various key names.
+                      check if the client certificate is signed by this CA. Server
+                      TLS must be enabled for this.
                     properties:
-                      name:
-                        description: name is unique within a namespace to reference
-                          a secret resource.
+                      key:
+                        description: The key of the secret to select from.  Must be
+                          a valid secret key.
                         type: string
-                      namespace:
-                        description: namespace defines the space within which the
-                          secret name must be unique.
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?'
                         type: string
+                      optional:
+                        description: Specify whether the Secret or its key must be
+                          defined
+                        type: boolean
+                    required:
+                    - key
                     type: object
                     x-kubernetes-map-type: atomic
                   passwordFromSecret:
diff --git a/internal/resources/resources.go b/internal/resources/resources.go
index f75e98e..3f13598 100644
--- a/internal/resources/resources.go
+++ b/internal/resources/resources.go
@@ -34,7 +34,7 @@ var (
 
 const (
 	TlsPath             = "/etc/dragonfly-tls"
-	TLSCACertDirArg     = "--tls_ca_cert_dir"
+	TLSCACertDirArg     = "--tls_ca_cert_file"
 	TLSCACertDir        = "/etc/dragonfly/client-ca-cert"
 	TLSCACertVolumeName = "client-ca-cert"
 )
@@ -251,12 +251,18 @@ func GetDragonflyResources(ctx context.Context, df *resourcesv1.Dragonfly) ([]cl
 		}
 
 		if df.Spec.Authentication.ClientCaCertSecret != nil {
-			// mount the secret as a volume
+			// mount the secrets as a volume
 			statefulset.Spec.Template.Spec.Volumes = append(statefulset.Spec.Template.Spec.Volumes, corev1.Volume{
 				Name: TLSCACertVolumeName,
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
 						SecretName: df.Spec.Authentication.ClientCaCertSecret.Name,
+						Items: []corev1.KeyToPath{
+							{
+								Key:  df.Spec.Authentication.ClientCaCertSecret.Key,
+								Path: "ca.crt",
+							},
+						},
 					},
 				},
 			})
@@ -268,8 +274,7 @@ func GetDragonflyResources(ctx context.Context, df *resourcesv1.Dragonfly) ([]cl
 			})
 
 			// pass it as an arg
-			statefulset.Spec.Template.Spec.Containers[0].Args = append(statefulset.Spec.Template.Spec.Containers[0].Args, fmt.Sprintf("%s=%s", TLSCACertDirArg, TLSCACertDir))
-
+			statefulset.Spec.Template.Spec.Containers[0].Args = append(statefulset.Spec.Template.Spec.Containers[0].Args, fmt.Sprintf("%s=%s/ca.crt", TLSCACertDirArg, TLSCACertDir))
 		}
 	}