1 files changed, 15 insertions, 4 deletions

diff --git a/readme.md b/readme.md
index c524bc2..6011d40 100644
--- a/readme.md
+++ b/readme.md
@@ -28,8 +28,11 @@ cd opcua_c
 The programs use TLS certificates for mutual authentication. ServerLDS and
 ServerRegister can also run without certificates (SecurityPolicy#None only) by
 omitting the `certificate`, `privateKey`, and `trustStore` keys from their
-config files. For encrypted operation, four identities are needed — run these
-from the project root:
+config files.
+
+For encrypted operation, four identities are needed. Each call to
+`tools/generate_certificate.sh` creates a self-signed RSA-2048 certificate
+(`<name>_cert.der`) and private key (`<name>_key.der`) in the given directory:
 
 ```sh
 tools/generate_certificate.sh certs ServerLDS
@@ -38,10 +41,18 @@ tools/generate_certificate.sh certs ServerRegisterClient
 tools/generate_certificate.sh certs ClientFindServers
 ```
 
+| Identity | Used by | Purpose |
+|----------|---------|---------|
+| `ServerLDS` | ServerLDS | Server certificate for the LDS |
+| `ServerRegister` | ServerRegister | Server certificate for the registering server |
+| `ServerRegisterClient` | ServerRegister | Client certificate used when connecting to the LDS |
+| `ClientFindServers` | Client | Client certificate for all client operations |
+
 ### Populate the trust stores
 
-Each program trusts a specific set of peers. Create symlinks to the
-certificates in the trust store directories so they can find each other:
+OPC UA applications only accept connections from peers whose certificate is in
+their trust store. Create the trust store directories and symlink each peer's
+certificate:
 
 ```sh
 mkdir -p certs/trust/{server_lds,server_register,server_register_client,client}