diff --git a/README b/README
index 662205a..8dddf37 100644
--- a/README
+++ b/README
@@ -8,9 +8,9 @@ distribution.
 
 The make-ca script will process the certificates included in the certdata.txt
 file, and place them in the system trust anchors, for use in multiple
-certificate stores. Additionally, any local certificates stored in
-/etc/ssl/local will also be imported into the system trust anchors and
-certificate stores making it a full trust management utiltiy.
+certificate stores. Additionally, any local OpenSSL Trusted  certificates
+stored in /etc/ssl/local will also be imported into the system trust anchors
+and certificate stores making it a full trust management utiltiy.
 
 The make-ca script depends on OpenSSL-1.1.0, P11-Kit-0.23, and optionally,
 NSS-3.23 (for the MozTrust exetension). Additionally, Coreutils, gawk, and sed
@@ -21,9 +21,11 @@ As of version 1.2, a p11-kit helper, copy-trust-modifications, is included
 for use in p11-kit's trust-extract-compat script (which should be symlinked
 to the user's path as update-ca-certificates). Manual creation of OpenSSL
 trusted certificates is no longer needed. Instead, import the certificate
-using p11-kit's trust utility, and recreate the individual stores using the
-update-ca-certificates script. A copy of any modified anchors will be placed
-into $LOCALDIR (in the correct format) by the p11-kit helper script.
+using p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality,
+which will recreate the individual stores assigning serverAuth permissions to
+the added certificate. A copy of any newly added anchors will be placed
+into $LOCALDIR (in the correct format) by the p11-kit helper script, and the
+individual stores will be recreated.
 
 For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
 from trust/trust-extract-compat, and append the following:
@@ -42,16 +44,14 @@ taking ownership for the results. You are strongly encouraged to define a
 written inclusion policy, distribute all blacklisted files as a part of the
 local directory, and to provide the written policy in the distributed package.
 
-
-The manual instructions below have been left for reference.
-
-To create an OpenSSL trusted certificate from a regular PEM encoded file,
-provided by a CA not included in Mozilla's certificate distribution, you need
-to add trust arguments to the openssl command, and create a new certificate.
-There are three trust types that are recognized by the make-ca.sh script,
-SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you
-want it to be trusted for all three roles, the following commands will create
-an appropriate OpenSSL trusted certificate:
+While the p11-kit trust utility can be used in most simple cases, you may
+require additional trust arguments for certian certificates. In these cases,
+you will need to manually create an OpenSSL trusted certificate from a regular
+PEM encoded file (use -inform for der or pkcs7 encoded certs).There are three
+trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and
+code signing. For example, using the CAcert root, if you want it to be trusted
+for all three roles, the following commands will create an appropriate OpenSSL
+Trusted certificate:
 
 # install -vdm755 /etc/ssl/local &&
 # wget http://www.cacert.org/certs/root.crt &&
@@ -60,12 +60,12 @@ an appropriate OpenSSL trusted certificate:
           > /etc/ssl/local/CAcert_Class_1_root.pem
 
 If one of the three trust arguments is omitted, the certificate is neither
-trusted, nor rejected for that role. Clients that use OpenSSL or NSS
-encountering this certificate will present a warning to the user. Clients using
-GnuTLS without p11-kit support are not aware of trusted certificates. To
-include this CA into the ca-bundle.crt (used for GnuTLS), it must have
-serverAuth trust. Additionally, to explicitly disallow a certificate for a
-particular use, replace the -addtrust flag with the -addreject flag.
+trusted, nor rejected for that role. Clients using GnuTLS without p11-kit
+support are not aware of trusted certificates. To include this CA into the
+ca-bundle.crt (used for GnuTLS linked applications not using the p11-module),
+it must have serverAuth trust. Additionally, to explicitly disallow a
+certificate for a particular use, replace the -addtrust flag with the
+-addreject flag.
 
 Local trust overrides are handled entirely using the /etc/ssl/local directory.
 To override Mozilla's trust values, simply make a copy of the certificate in