diff --git a/.gitignore b/.gitignore
index 195315528..5427db7cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -94,3 +94,5 @@ logs
 
 # locally packaged chart
 mongodb-kubernetes-*.tgz
+
+scripts/code_snippets/tests/outputs/*
diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
index d3a5c32a0..84318afc9 100644
--- a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
+++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go
@@ -272,7 +272,7 @@ func (r *MongoDBSearchReconcileHelper) ensureEgressTlsConfig(ctx context.Context
 
 	mongotModification := func(config *mongot.Config) {
 		config.SyncSource.ReplicaSet.TLS = ptr.To(true)
-		config.SyncSource.CertificateAuthorityFile = ptr.To(tls.CAMountPath + "/" + tlsSourceConfig.CAFileName)
+		config.SyncSource.CertificateAuthorityFile = ptr.To(tls.CAMountPath + tlsSourceConfig.CAFileName)
 
 		// if the gRPC server is configured to accept TLS connections then toggle mTLS as well
 		if config.Server.Grpc.TLS.Mode == mongot.ConfigTLSModeTLS {
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0040_validate_env.sh b/docs/search/01-search-community-deploy/code_snippets/01_0040_validate_env.sh
new file mode 100644
index 000000000..f7a95e268
--- /dev/null
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0040_validate_env.sh
@@ -0,0 +1,25 @@
+required=(
+  K8S_CTX
+  MDB_NS
+  MDB_RESOURCE_NAME
+  MDB_VERSION
+  MDB_MEMBERS
+  CERT_MANAGER_NAMESPACE
+  MDB_TLS_CA_SECRET_NAME
+  MDB_TLS_SERVER_CERT_SECRET_NAME
+  MDB_SEARCH_TLS_SECRET_NAME
+  MDB_ADMIN_USER_PASSWORD
+  MDB_SEARCH_SYNC_USER_PASSWORD
+  MDB_USER_PASSWORD
+  OPERATOR_HELM_CHART
+)
+
+missing_req=()
+for v in "${required[@]}"; do [[ -n "${!v:-}" ]] || missing_req+=("${v}"); done
+
+if (( ${#missing_req[@]} )); then
+  echo "ERROR: Missing required environment variables:" >&2
+  for m in "${missing_req[@]}"; do echo "  - ${m}" >&2; done
+else
+  echo "All required environment variables present."
+fi
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0305_create_mongodb_community_user_secrets.sh b/docs/search/01-search-community-deploy/code_snippets/01_0305_create_mongodb_community_user_secrets.sh
index 6e28372b7..80b655277 100755
--- a/docs/search/01-search-community-deploy/code_snippets/01_0305_create_mongodb_community_user_secrets.sh
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0305_create_mongodb_community_user_secrets.sh
@@ -1,12 +1,16 @@
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-admin-user-password \
-  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}"
+# Create admin user secret
+kubectl create secret generic mdb-admin-user-password \
+  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdbc-rs-search-sync-source-password \
-  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}"
+# Create search sync source user secret
+kubectl create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \
+  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
-kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
-  create secret generic mdb-user-password \
-  --from-literal=password="${MDB_USER_PASSWORD}"
+# Create regular user secret
+kubectl create secret generic mdb-user-password \
+  --from-literal=password="${MDB_USER_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply --context "${K8S_CTX}" --namespace "${MDB_NS}" -f -
 
+echo "User secrets created."
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0306_install_cert_manager.sh b/docs/search/01-search-community-deploy/code_snippets/01_0306_install_cert_manager.sh
new file mode 100755
index 000000000..0e92edf54
--- /dev/null
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0306_install_cert_manager.sh
@@ -0,0 +1,15 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0307_prepare_cert_manager_issuer.sh b/docs/search/01-search-community-deploy/code_snippets/01_0307_prepare_cert_manager_issuer.sh
new file mode 100755
index 000000000..ae9387bca
--- /dev/null
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0307_prepare_cert_manager_issuer.sh
@@ -0,0 +1,60 @@
+# Bootstrap a self-signed ClusterIssuer that will mint the CA material consumed by
+# the MongoDBCommunity deployment.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+  selfSigned: {}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+
+# Create the CA certificate and secret in the cert-manager namespace.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+  isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
+
+# Publish a cluster-scoped issuer that fronts the generated CA secret so all namespaces can reuse it.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_CA_ISSUER}
+spec:
+  ca:
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+
+kubectl --context "${K8S_CTX}" \
+  get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" \
+  -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+# Expose the CA bundle through a ConfigMap for workloads and the MongoDBCommunity resource.
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
+
+echo "Cluster-wide CA issuer ${MDB_TLS_CA_ISSUER} is ready."
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0308_issue_tls_certificates.sh b/docs/search/01-search-community-deploy/code_snippets/01_0308_issue_tls_certificates.sh
new file mode 100755
index 000000000..68b8a1e7f
--- /dev/null
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0308_issue_tls_certificates.sh
@@ -0,0 +1,70 @@
+server_certificate="${MDB_RESOURCE_NAME}-server-tls"
+search_certificate="${MDB_RESOURCE_NAME}-search-tls"
+
+mongo_dns_names=()
+for ((member = 0; member < MDB_MEMBERS; member++)); do
+  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}")
+  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
+done
+mongo_dns_names+=(
+  "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+)
+
+search_dns_names=(
+  "${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+)
+
+render_dns_list() {
+  local dns_list=("$@")
+  for dns in "${dns_list[@]}"; do
+    printf "      - \"%s\"\n" "${dns}"
+  done
+}
+
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${server_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${mongo_dns_names[@]}")
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${search_certificate}
+  namespace: ${MDB_NS}
+spec:
+  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  dnsNames:
+$(render_dns_list "${search_dns_names[@]}")
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
+
+echo "MongoDB TLS certificates have been issued."
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh b/docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh
index 83c1a2c6b..950340bf1 100755
--- a/docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0310_create_mongodb_community_resource.sh
@@ -2,12 +2,18 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodbcommunity.mongodb.com/v1
 kind: MongoDBCommunity
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
   version: ${MDB_VERSION}
   type: ReplicaSet
-  members: 3
+  members: ${MDB_MEMBERS}
   security:
+    tls:
+      enabled: true
+      certificateKeySecretRef:
+        name: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+      caConfigMapRef:
+        name: ${MDB_TLS_CA_CONFIGMAP}
     authentication:
       ignoreUnknownUsers: true
       modes:
@@ -68,8 +74,8 @@ spec:
       db: admin
       # a reference to the secret that will be used to generate the user's password
       passwordSecretRef:
-        name: mdbc-rs-search-sync-source-password
-      scramCredentialsSecretName: mdbc-rs-search-sync-source
+        name: ${MDB_RESOURCE_NAME}-search-sync-source-password
+      scramCredentialsSecretName: ${MDB_RESOURCE_NAME}-search-sync-source
       roles:
         - name: searchCoordinator
           db: admin
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0320_create_mongodb_search_resource.sh b/docs/search/01-search-community-deploy/code_snippets/01_0320_create_mongodb_search_resource.sh
index 72bcc4348..fd6a40862 100755
--- a/docs/search/01-search-community-deploy/code_snippets/01_0320_create_mongodb_search_resource.sh
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0320_create_mongodb_search_resource.sh
@@ -2,8 +2,12 @@ kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
 apiVersion: mongodb.com/v1
 kind: MongoDBSearch
 metadata:
-  name: mdbc-rs
+  name: ${MDB_RESOURCE_NAME}
 spec:
+  security:
+    tls:
+      certificateKeySecretRef:
+        name: ${MDB_SEARCH_TLS_SECRET_NAME}
   resourceRequirements:
     limits:
       cpu: "3"
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0325_wait_for_search_resource.sh b/docs/search/01-search-community-deploy/code_snippets/01_0325_wait_for_search_resource.sh
index 0fdb35017..36d2a2db0 100755
--- a/docs/search/01-search-community-deploy/code_snippets/01_0325_wait_for_search_resource.sh
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0325_wait_for_search_resource.sh
@@ -1,3 +1,3 @@
 echo "Waiting for MongoDBSearch resource to reach Running phase..."
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
-  --for=jsonpath='{.status.phase}'=Running mdbs/mdbc-rs --timeout=300s
+  --for=jsonpath='{.status.phase}'=Running mdbs/"${MDB_RESOURCE_NAME}" --timeout=300s
diff --git a/docs/search/01-search-community-deploy/code_snippets/01_0330_wait_for_community_resource.sh b/docs/search/01-search-community-deploy/code_snippets/01_0330_wait_for_community_resource.sh
old mode 100755
new mode 100644
index 939ef3fa1..669bf434f
--- a/docs/search/01-search-community-deploy/code_snippets/01_0330_wait_for_community_resource.sh
+++ b/docs/search/01-search-community-deploy/code_snippets/01_0330_wait_for_community_resource.sh
@@ -1,3 +1,7 @@
 echo "Waiting for MongoDBCommunity resource to reach Running phase..."
 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
   --for=jsonpath='{.status.phase}'=Running mdbc/mdbc-rs --timeout=400s
+echo; echo "MongoDBCommunity resource"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get mdbc/mdbc-rs
+echo; echo "Pods running in cluster ${K8S_CTX}"
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods
diff --git a/docs/search/01-search-community-deploy/env_variables.sh b/docs/search/01-search-community-deploy/env_variables.sh
index c02aaeb96..0cf7e8af6 100644
--- a/docs/search/01-search-community-deploy/env_variables.sh
+++ b/docs/search/01-search-community-deploy/env_variables.sh
@@ -4,6 +4,21 @@ export K8S_CTX="<local cluster context>"
 # the following namespace will be created if not exists
 export MDB_NS="mongodb"
 
+# MongoDBCommunity resource name referenced throughout the guide
+export MDB_RESOURCE_NAME="mdbc-rs"
+# Number of replica set members deployed in the sample MongoDBCommunity
+export MDB_MEMBERS=3
+
+# TLS-related secret names used for MongoDBCommunity and MongoDBSearch
+export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
+export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
+export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
+
+export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+export MDB_TLS_SELF_SIGNED_ISSUER="${MDB_RESOURCE_NAME}-selfsigned-cluster-issuer"
+export MDB_TLS_CA_CERT_NAME="${MDB_RESOURCE_NAME}-selfsigned-ca"
+export MDB_TLS_CA_ISSUER="${MDB_RESOURCE_NAME}-cluster-issuer"
+
 # minimum required MongoDB version for running MongoDB Search is 8.2.0
 export MDB_VERSION="8.2.0"
 
@@ -18,4 +33,7 @@ export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes"
 # comma-separated key=value pairs for additional parameters passed to the helm-chart installing the operator
 export OPERATOR_ADDITIONAL_HELM_VALUES=""
 
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@mdbc-rs-0.mdbc-rs-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=mdbc-rs"
+# TLS is mandatory; connection string must include tls=true
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
+
+export CERT_MANAGER_NAMESPACE="cert-manager"
diff --git a/docs/search/01-search-community-deploy/test.sh b/docs/search/01-search-community-deploy/test.sh
index af1382274..d08156b15 100755
--- a/docs/search/01-search-community-deploy/test.sh
+++ b/docs/search/01-search-community-deploy/test.sh
@@ -11,6 +11,7 @@ cd "${script_dir}"
 
 prepare_snippets
 
+run 01_0040_validate_env.sh
 run 01_0045_create_namespaces.sh
 run 01_0046_create_image_pull_secrets.sh
 run 01_0048_configure_prerelease_image_pullsecret.sh
@@ -18,6 +19,11 @@ run_for_output 01_0090_helm_add_mogodb_repo.sh
 run_for_output 01_0100_install_operator.sh
 run_for_output 01_0110_wait_for_operator_deployment.sh
 run 01_0305_create_mongodb_community_user_secrets.sh
+
+run 01_0306_install_cert_manager.sh
+run 01_0307_prepare_cert_manager_issuer.sh
+run 01_0308_issue_tls_certificates.sh
+
 run 01_0310_create_mongodb_community_resource.sh
 run_for_output 01_0315_wait_for_community_resource.sh
 run 01_0320_create_mongodb_search_resource.sh
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0040_validate_env.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0040_validate_env.sh
new file mode 100644
index 000000000..16390154c
--- /dev/null
+++ b/docs/search/02-search-enterprise-deploy/code_snippets/02_0040_validate_env.sh
@@ -0,0 +1,28 @@
+required=(
+  K8S_CTX
+  MDB_NS
+  MDB_RESOURCE_NAME
+  MDB_VERSION
+  MDB_MEMBERS
+  CERT_MANAGER_NAMESPACE
+  MDB_TLS_CA_SECRET_NAME
+  MDB_TLS_SERVER_CERT_SECRET_NAME
+  MDB_SEARCH_TLS_SECRET_NAME
+  MDB_ADMIN_USER_PASSWORD
+  MDB_SEARCH_SYNC_USER_PASSWORD
+  MDB_USER_PASSWORD
+  OPERATOR_HELM_CHART
+  OPS_MANAGER_PROJECT_NAME
+  OPS_MANAGER_API_URL
+  OPS_MANAGER_API_USER
+  OPS_MANAGER_API_KEY
+)
+
+missing_req=()
+for v in "${required[@]}"; do [[ -n "${!v:-}" ]] || missing_req+=("${v}"); done
+if (( ${#missing_req[@]} )); then
+  echo "ERROR: Missing required environment variables:" >&2
+  for m in "${missing_req[@]}"; do echo "  - ${m}" >&2; done
+else
+  echo "All required environment variables present."
+fi
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0301_install_cert_manager.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0301_install_cert_manager.sh
new file mode 100644
index 000000000..0e92edf54
--- /dev/null
+++ b/docs/search/02-search-enterprise-deploy/code_snippets/02_0301_install_cert_manager.sh
@@ -0,0 +1,15 @@
+helm upgrade --install \
+  cert-manager \
+  oci://quay.io/jetstack/charts/cert-manager \
+  --kube-context "${K8S_CTX}" \
+  --namespace "${CERT_MANAGER_NAMESPACE}" \
+  --create-namespace \
+  --set crds.enabled=true
+
+for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
+  kubectl --context "${K8S_CTX}" \
+    -n "${CERT_MANAGER_NAMESPACE}" \
+    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
+done
+
+echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0302_configure_tls_prerequisites.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0302_configure_tls_prerequisites.sh
new file mode 100644
index 000000000..102c4ff0a
--- /dev/null
+++ b/docs/search/02-search-enterprise-deploy/code_snippets/02_0302_configure_tls_prerequisites.sh
@@ -0,0 +1,53 @@
+# Bootstrap a self-signed ClusterIssuer to mint the CA secret consumed by application workloads.
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+spec:
+  selfSigned: {}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
+
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_TLS_CA_CERT_NAME}
+  namespace: ${CERT_MANAGER_NAMESPACE}
+spec:
+  isCA: true
+  commonName: ${MDB_TLS_CA_CERT_NAME}
+  secretName: ${MDB_TLS_CA_SECRET_NAME}
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
+    kind: ClusterIssuer
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
+
+kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${MDB_TLS_CA_ISSUER}
+spec:
+  ca:
+    secretName: ${MDB_TLS_CA_SECRET_NAME}
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
+
+TMP_CA_CERT="$(mktemp)"
+trap 'rm -f "${TMP_CA_CERT}"' EXIT
+
+kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
+
+kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
+  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
+  --from-file=ca.crt="${TMP_CA_CERT}" \
+  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0304_generate_tls_certificates.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0304_generate_tls_certificates.sh
new file mode 100644
index 000000000..1f6965a66
--- /dev/null
+++ b/docs/search/02-search-enterprise-deploy/code_snippets/02_0304_generate_tls_certificates.sh
@@ -0,0 +1,47 @@
+kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_RESOURCE_NAME}-server-tls
+spec:
+  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
+  - client auth
+  dnsNames:
+  - "${MDB_RESOURCE_NAME}-0"
+  - "${MDB_RESOURCE_NAME}-1"
+  - "${MDB_RESOURCE_NAME}-2"
+  - "${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  - "${MDB_RESOURCE_NAME}-1.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+  - "${MDB_RESOURCE_NAME}-2.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${MDB_RESOURCE_NAME}-search-tls
+spec:
+  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
+  issuerRef:
+    name: ${MDB_TLS_CA_ISSUER}
+    kind: ClusterIssuer
+  duration: 240h0m0s
+  renewBefore: 120h0m0s
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
+  - client auth
+  dnsNames:
+  - "${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
+EOF_MANIFEST
+
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${MDB_NS}" certificate "${MDB_RESOURCE_NAME}-server-tls"
+kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${MDB_NS}" certificate "${MDB_RESOURCE_NAME}-search-tls"
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0305_create_mongodb_database_resource.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0305_create_mongodb_database_resource.sh
index 3c3454875..353110bb1 100755
--- a/docs/search/02-search-enterprise-deploy/code_snippets/02_0305_create_mongodb_database_resource.sh
+++ b/docs/search/02-search-enterprise-deploy/code_snippets/02_0305_create_mongodb_database_resource.sh
@@ -17,6 +17,10 @@ spec:
       ignoreUnknownUsers: true
       modes:
       - SCRAM
+    certsSecretPrefix: ${MDB_TLS_CERT_SECRET_PREFIX}
+    tls:
+      enabled: true
+      ca: ${MDB_TLS_CA_CONFIGMAP}
   agent:
     logLevel: INFO
   podSpec:
diff --git a/docs/search/02-search-enterprise-deploy/code_snippets/02_0320_create_mongodb_search_resource.sh b/docs/search/02-search-enterprise-deploy/code_snippets/02_0320_create_mongodb_search_resource.sh
index f13c049a0..0570b020c 100755
--- a/docs/search/02-search-enterprise-deploy/code_snippets/02_0320_create_mongodb_search_resource.sh
+++ b/docs/search/02-search-enterprise-deploy/code_snippets/02_0320_create_mongodb_search_resource.sh
@@ -6,6 +6,10 @@ metadata:
 spec:
   # no need to specify source.mongodbResourceRef if MongoDBSearch CR has the same name as MongoDB CR
   # the operator infer it automatically
+  security:
+    tls:
+      certificateKeySecretRef:
+        name: ${MDB_SEARCH_TLS_SECRET_NAME}
   resourceRequirements:
     limits:
       cpu: "3"
diff --git a/docs/search/02-search-enterprise-deploy/env_variables.sh b/docs/search/02-search-enterprise-deploy/env_variables.sh
index 0a292ff98..c389a19c3 100644
--- a/docs/search/02-search-enterprise-deploy/env_variables.sh
+++ b/docs/search/02-search-enterprise-deploy/env_variables.sh
@@ -33,5 +33,15 @@ export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes"
 # comma-separated key=value pairs for additional parameters passed to the helm-chart installing the operator
 export OPERATOR_ADDITIONAL_HELM_VALUES=""
 
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
-
+export MDB_TLS_CERT_SECRET_PREFIX="certs"
+export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+
+export CERT_MANAGER_NAMESPACE="cert-manager"
+export MDB_TLS_SELF_SIGNED_ISSUER="selfsigned-bootstrap-issuer"
+export MDB_TLS_CA_CERT_NAME="my-selfsigned-ca"
+export MDB_TLS_CA_SECRET_NAME="root-secret"
+export MDB_TLS_CA_ISSUER="my-ca-issuer"
+export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-cert"
+export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
+
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true"
diff --git a/docs/search/02-search-enterprise-deploy/test.sh b/docs/search/02-search-enterprise-deploy/test.sh
index 022cb0109..fb7890f8a 100755
--- a/docs/search/02-search-enterprise-deploy/test.sh
+++ b/docs/search/02-search-enterprise-deploy/test.sh
@@ -11,6 +11,7 @@ cd "${script_dir}"
 
 prepare_snippets
 
+run 02_0040_validate_env.sh
 run 02_0045_create_namespaces.sh
 run 02_0046_create_image_pull_secrets.sh
 run 02_0048_configure_prerelease_image_pullsecret.sh
@@ -18,6 +19,12 @@ run 02_0048_configure_prerelease_image_pullsecret.sh
 run_for_output 02_0090_helm_add_mogodb_repo.sh
 run_for_output 02_0100_install_operator.sh
 run 02_0300_create_ops_manager_resources.sh
+
+#TLS related steps
+run 02_0301_install_cert_manager.sh
+run 02_0302_configure_tls_prerequisites.sh
+run 02_0304_generate_tls_certificates.sh
+
 run 02_0305_create_mongodb_database_resource.sh
 run_for_output 02_0310_wait_for_database_resource.sh
 run 02_0315_create_mongodb_users.sh
diff --git a/docs/search/03-search-query-usage/code_snippets/03_0410_run_mongodb_tools_pod.sh b/docs/search/03-search-query-usage/code_snippets/03_0410_run_mongodb_tools_pod.sh
index 6ac5f4e34..119d951c7 100755
--- a/docs/search/03-search-query-usage/code_snippets/03_0410_run_mongodb_tools_pod.sh
+++ b/docs/search/03-search-query-usage/code_snippets/03_0410_run_mongodb_tools_pod.sh
@@ -11,9 +11,20 @@ spec:
     image: mongodb/mongodb-community-server:${MDB_VERSION%-ent}-ubi8
     command: ["/bin/bash", "-c"]
     args: ["sleep infinity"]
+    volumeMounts:
+    - name: mongo-ca
+      mountPath: /tls
+      readOnly: true
   restartPolicy: Never
+  volumes:
+  - name: mongo-ca
+    configMap:
+      name: ${MDB_TLS_CA_CONFIGMAP:-"${MDB_RESOURCE_NAME}-ca-configmap"}
+      optional: true
+      items:
+      - key: ca.crt
+        path: ca.crt
 EOF
 
 echo "Waiting for the mongodb-tools to be ready..."
-kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait \
-  --for=condition=Ready pod/mongodb-tools-pod --timeout=60s
+kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready pod/mongodb-tools-pod --timeout=60s
diff --git a/docs/search/03-search-query-usage/code_snippets/03_0420_import_movies_mflix_database.sh b/docs/search/03-search-query-usage/code_snippets/03_0420_import_movies_mflix_database.sh
index 4f765f831..25f8ae82b 100755
--- a/docs/search/03-search-query-usage/code_snippets/03_0420_import_movies_mflix_database.sh
+++ b/docs/search/03-search-query-usage/code_snippets/03_0420_import_movies_mflix_database.sh
@@ -1,8 +1,9 @@
+# Restore sample_mflix database. Provide any TLS parameters directly within MDB_CONNECTION_STRING.
 kubectl exec -n "${MDB_NS}" --context "${K8S_CTX}" \
-  mongodb-tools-pod -- /bin/bash -eu -c "$(cat <<EOF
+  mongodb-tools-pod -- env MDB_CONNECTION_STRING="${MDB_CONNECTION_STRING}" /bin/bash -eu -c "$(cat <<'EOF'
 echo "Downloading sample database archive..."
-curl https://atlas-education.s3.amazonaws.com/sample_mflix.archive \
-  -o /tmp/sample_mflix.archive
+curl -fSL https://atlas-education.s3.amazonaws.com/sample_mflix.archive -o /tmp/sample_mflix.archive
+
 echo "Restoring sample database"
 mongorestore \
   --archive=/tmp/sample_mflix.archive \
diff --git a/docs/search/03-search-query-usage/code_snippets/03_0430_create_search_index.sh b/docs/search/03-search-query-usage/code_snippets/03_0430_create_search_index.sh
index d9d0d193f..d195e5a0a 100755
--- a/docs/search/03-search-query-usage/code_snippets/03_0430_create_search_index.sh
+++ b/docs/search/03-search-query-usage/code_snippets/03_0430_create_search_index.sh
@@ -1,5 +1,4 @@
 kubectl exec --context "${K8S_CTX}" -n "${MDB_NS}" mongodb-tools-pod -- \
-  mongosh --quiet \
-    "${MDB_CONNECTION_STRING}" \
+  mongosh --quiet "${MDB_CONNECTION_STRING}" \
     --eval "use sample_mflix" \
     --eval 'db.movies.createSearchIndex("default", { mappings: { dynamic: true } });'
diff --git a/docs/search/03-search-query-usage/env_variables.sh b/docs/search/03-search-query-usage/env_variables.sh
index af6bd874c..48bef1c94 100644
--- a/docs/search/03-search-query-usage/env_variables.sh
+++ b/docs/search/03-search-query-usage/env_variables.sh
@@ -15,6 +15,14 @@
 # user only for the connection string in MDB_CONNECTION_STRING env var below
 #export MDB_RESOURCE_NAME="mdbc-rs"
 
+# TLS-related resources used by the snippets in this module
+#export MDB_TLS_CA_SECRET_NAME="${MDB_RESOURCE_NAME}-ca"
+#export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
+#export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_RESOURCE_NAME}-tls"
+#export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
+
 # default connection string if MongoDB database is deployed using the operator
 #export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
+# To enable TLS for the shared snippets, append driver options directly to the connection string, for example:
+#export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
 
diff --git a/scripts/code_snippets/code_snippets_cleanup.sh b/scripts/code_snippets/code_snippets_cleanup.sh
index f88f9f36a..f45594086 100755
--- a/scripts/code_snippets/code_snippets_cleanup.sh
+++ b/scripts/code_snippets/code_snippets_cleanup.sh
@@ -32,5 +32,9 @@ for snippet_dir in $(bash "${script_dir}/find_snippets_directories.sh"); do
 done
 
 wait
+
+echo "Cleaning up snippets outputs"
+rm -rf "scripts/code_snippets/tests/outputs/*"
+
 echo "Cleaning up done."
 
diff --git a/scripts/code_snippets/tests/test_kind_search_community_snippets.sh b/scripts/code_snippets/tests/test_kind_search_community_snippets.sh
index 522433a7a..6d8993179 100755
--- a/scripts/code_snippets/tests/test_kind_search_community_snippets.sh
+++ b/scripts/code_snippets/tests/test_kind_search_community_snippets.sh
@@ -31,7 +31,6 @@ echo "Sourcing env variables for ${CODE_SNIPPETS_FLAVOR} flavor"
 test -f "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh" && source "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh"
 
 export MDB_RESOURCE_NAME="mdbc-rs"
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
 
 ${test_dir}/test.sh
-
diff --git a/scripts/code_snippets/tests/test_kind_search_enterprise_snippets.sh b/scripts/code_snippets/tests/test_kind_search_enterprise_snippets.sh
index 945053844..3e766a4d5 100755
--- a/scripts/code_snippets/tests/test_kind_search_enterprise_snippets.sh
+++ b/scripts/code_snippets/tests/test_kind_search_enterprise_snippets.sh
@@ -25,11 +25,14 @@ echo "Sourcing env variables for ${CODE_SNIPPETS_FLAVOR} flavor"
 test -f "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh" && source "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh"
 ${test_dir}/test.sh
 
+echo "Sleeping for 120s to let replicaset nodes restarted and configured with the search configuration."
+sleep 120
+
 test_dir="./docs/search/03-search-query-usage"
 echo "Sourcing env variables for ${CODE_SNIPPETS_FLAVOR} flavor"
 # shellcheck disable=SC1090
 test -f "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh" && source "${test_dir}/env_variables_${CODE_SNIPPETS_FLAVOR}.sh"
 
-export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}"
+export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-0.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
 
 ${test_dir}/test.sh