diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index 63eff5f61..27688a868 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -926,16 +926,39 @@ common_ssl_opts_schema(Defaults) ->
     , {"cacertfile",
        sc(string(),
           #{ default => D("cacertfile")
+           , nullable => true
+           , desc =>
+"""Trusted PEM format CA certificates bundle file.<br>
+The certificates in this file are used to verify the TLS peer's certificates.
+Append new certificates to the file if new CAs are to be trusted.
+There is no need to restart EMQ X to have the updated file loaded, because
+the system regularly checks if file has been updated (and reload).<br>
+NOTE: invalidating (deleting) a certificate from the file will not affect
+already established connections.
+"""
            })
       }
     , {"certfile",
        sc(string(),
           #{ default => D("certfile")
+           , nullable => true
+           , desc =>
+"""PEM format certificates chain file.<br>
+The certificates in this file should be in reversed order of the certificate
+issue chain. That is, the host's certificate should be placed in the beginning
+of the file, followed by the immediate issuer certificate and so on.
+Although the root CA certificate is optional, it should placed at the end of
+the file if it is to be added.
+"""
            })
       }
     , {"keyfile",
        sc(string(),
           #{ default => D("keyfile")
+           , nullable => true
+           , desc =>
+"""PEM format private key file.<br>
+"""
            })
       }
     , {"verify",