diff --git a/deploy-guide/source/app-octavia.rst b/deploy-guide/source/app-octavia.rst
index f08f46f..a9eead9 100644
--- a/deploy-guide/source/app-octavia.rst
+++ b/deploy-guide/source/app-octavia.rst
@@ -103,26 +103,25 @@ Generate certificates
 ~~~~~~~~~~~~~~~~~~~~~
 
 Octavia uses client certificates for authentication and security of
-communication between Amphorae (load balancers) and the Octavia control plane;
-for the initial version of the Octavia charm, these must be generated by the
-operator and provided to the Octavia charm as configuration.
+communication between Amphorae (load balancers) and the Octavia control plane.
 
-The script below generates example certificates and keys with a 365 day expiry
-period:
+The commands below show how keys and certificates can be generated. These are
+examples only; modify the parameters as required.
 
 .. code-block:: none
 
    mkdir -p demoCA/newcerts
    touch demoCA/index.txt
    touch demoCA/index.txt.attr
-   openssl genrsa -passout pass:foobar -des3 -out issuing_ca_key.pem 2048
+
+   openssl genpkey -algorithm RSA -pass pass:foobar -out issuing_ca_key.pem
    openssl req -x509 -passin pass:foobar -new -nodes -key issuing_ca_key.pem \
        -config /etc/ssl/openssl.cnf \
        -subj "/C=US/ST=Somestate/O=Org/CN=www.example.com" \
        -days 365 \
        -out issuing_ca.pem
 
-   openssl genrsa -passout pass:foobar -des3 -out controller_ca_key.pem 2048
+   openssl genpkey -algorithm RSA -pass pass:foobar -out controller_ca_key.pem
    openssl req -x509 -passin pass:foobar -new -nodes \
            -key controller_ca_key.pem \
        -config /etc/ssl/openssl.cnf \
@@ -139,22 +138,17 @@ period:
        -in controller.csr -days 365 -out controller_cert.pem
    cat controller_cert.pem controller_key.pem > controller_cert_bundle.pem
 
-The generated certificates and keys must then be provided to the octavia charm:
+This information is then provided to Octavia via charm configuration options:
 
 .. code-block:: none
 
    juju config octavia \
-       lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \
-       lb-mgmt-issuing-ca-private-key="$(base64 controller_ca_key.pem)" \
+       lb-mgmt-issuing-cacert="$(base64 issuing_ca.pem)" \
+       lb-mgmt-issuing-ca-private-key="$(base64 issuing_ca_key.pem)" \
        lb-mgmt-issuing-ca-key-passphrase=foobar \
        lb-mgmt-controller-cacert="$(base64 controller_ca.pem)" \
        lb-mgmt-controller-cert="$(base64 controller_cert_bundle.pem)"
 
-.. note::
-
-   Future versions of the charm may automatically generate the internal
-   Certification Authority required to operate Octavia.
-
 Resource configuration
 ~~~~~~~~~~~~~~~~~~~~~~