diff --git a/pkg/antctl/raw/helper.go b/pkg/antctl/raw/helper.go
index ee7206c9dba..50313642591 100644
--- a/pkg/antctl/raw/helper.go
+++ b/pkg/antctl/raw/helper.go
@@ -121,10 +121,10 @@ func CreateAgentClientCfgFromObjects(
 		cfg.CAFile = ""
 		cfg.CAData = nil
 	} else {
-		cert := agentInfo.APICertData
+		cert := agentInfo.APICABundle
 		if len(cert) == 0 {
 			fmt.Println("Failed to retrieve certificate for Antrea Agent, which is required to establish a secure connection")
-			// v1.13 is when APICertData was added to the AntreaAgentInfo CRD
+			// v1.13 is when APICABundle was added to the AntreaAgentInfo CRD
 			if semver.Compare(agentInfo.Version, "v1.13") < 0 {
 				fmt.Println("You may be using a version of the Antrea Agent that does not publish certificate data (< v1.13)")
 			}
diff --git a/pkg/antctl/raw/helper_test.go b/pkg/antctl/raw/helper_test.go
index 13e74def84f..a3cfae584ac 100644
--- a/pkg/antctl/raw/helper_test.go
+++ b/pkg/antctl/raw/helper_test.go
@@ -110,7 +110,7 @@ func TestCreateAgentClientCfg(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			k8sClient := fakeclient.NewSimpleClientset(node)
 			agentInfo := agentInfo.DeepCopy()
-			agentInfo.APICertData = tc.certData
+			agentInfo.APICABundle = tc.certData
 			antreaClient := antreafakeclient.NewSimpleClientset(agentInfo)
 			kubeconfig := &rest.Config{}
 
diff --git a/pkg/apis/crd/v1beta1/types.go b/pkg/apis/crd/v1beta1/types.go
index 773485a0c76..80962b6c4bf 100644
--- a/pkg/apis/crd/v1beta1/types.go
+++ b/pkg/apis/crd/v1beta1/types.go
@@ -44,8 +44,9 @@ type AntreaAgentInfo struct {
 	AgentConditions []AgentCondition `json:"agentConditions,omitempty"`
 	// The port of Antrea Agent API Server
 	APIPort int `json:"apiPort,omitempty"`
-	// The self-signed certificate used to serve the Antrea Agent API
-	APICertData []byte `json:"apiCertData,omitempty"`
+	// APICABundle is a PEM encoded CA bundle which can be used to validate the Antrea Agent API
+	// server's certificate.
+	APICABundle []byte `json:"apiCABundle,omitempty"`
 	// The port range used by NodePortLocal
 	NodePortLocalPortRange string `json:"nodePortLocalPortRange,omitempty"`
 }
diff --git a/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go b/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go
index 6b876579730..ab06a42283f 100644
--- a/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go
+++ b/pkg/apis/crd/v1beta1/zz_generated.deepcopy.go
@@ -61,8 +61,8 @@ func (in *AntreaAgentInfo) DeepCopyInto(out *AntreaAgentInfo) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.APICertData != nil {
-		in, out := &in.APICertData, &out.APICertData
+	if in.APICABundle != nil {
+		in, out := &in.APICABundle, &out.APICABundle
 		*out = make([]byte, len(*in))
 		copy(*out, *in)
 	}
diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go
index 4c7842cf0c8..fe220e3d179 100644
--- a/pkg/apiserver/openapi/zz_generated.openapi.go
+++ b/pkg/apiserver/openapi/zz_generated.openapi.go
@@ -2554,9 +2554,9 @@ func schema_pkg_apis_crd_v1beta1_AntreaAgentInfo(ref common.ReferenceCallback) c
 							Format:      "int32",
 						},
 					},
-					"apiCertData": {
+					"apiCABundle": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The self-signed certificate used to serve the Antrea Agent API",
+							Description: "APICABundle is a PEM encoded CA bundle which can be used to validate the Antrea Agent API server's certificate.",
 							Type:        []string{"string"},
 							Format:      "byte",
 						},
diff --git a/pkg/monitor/agent.go b/pkg/monitor/agent.go
index 5153d3e76aa..e89ae854a78 100644
--- a/pkg/monitor/agent.go
+++ b/pkg/monitor/agent.go
@@ -91,7 +91,7 @@ func (monitor *agentMonitor) getAgentCRD() (*v1beta1.AntreaAgentInfo, error) {
 // updateAgentCRD updates the monitoring CRD.
 func (monitor *agentMonitor) updateAgentCRD(partial bool) (*v1beta1.AntreaAgentInfo, error) {
 	monitor.querier.GetAgentInfo(monitor.agentCRD, partial)
-	monitor.agentCRD.APICertData = monitor.apiCertData
+	monitor.agentCRD.APICABundle = monitor.apiCertData
 	klog.V(2).Infof("Updating agent monitoring CRD %+v, partial: %t", monitor.agentCRD, partial)
 	return monitor.client.CrdV1beta1().AntreaAgentInfos().Update(context.TODO(), monitor.agentCRD, metav1.UpdateOptions{})
 }
diff --git a/pkg/monitor/agent_test.go b/pkg/monitor/agent_test.go
index d50f5ce9e26..4007de6dde4 100644
--- a/pkg/monitor/agent_test.go
+++ b/pkg/monitor/agent_test.go
@@ -70,7 +70,7 @@ func TestSyncAgentCRD(t *testing.T) {
 			NetworkPolicyNum: 0,
 		},
 		APIPort:     10349,
-		APICertData: fakeCertData,
+		APICABundle: fakeCertData,
 	}
 	t.Run("partial update-success", func(t *testing.T) {
 		clientset := fakeclientset.NewSimpleClientset(existingCRD)
@@ -108,7 +108,7 @@ func TestSyncAgentCRD(t *testing.T) {
 		crd, err := monitor.client.CrdV1beta1().AntreaAgentInfos().Get(ctx, "testAgentCRD", metav1.GetOptions{})
 		require.NoError(t, err)
 		assert.Equal(t, entirelyUpdatedCRD.APIPort, crd.APIPort)
-		assert.Equal(t, entirelyUpdatedCRD.APICertData, crd.APICertData)
+		assert.Equal(t, entirelyUpdatedCRD.APICABundle, crd.APICABundle)
 	})
 	t.Run("entire update-failure", func(t *testing.T) {
 		clientset := fakeclientset.NewSimpleClientset(existingCRD)