diff --git a/README_SETUP.md b/README_SETUP.md
index 4b6b7bfb9003c4ff505c2160462ae2243840ee7a..244121ee54541c01b14354d571062ae78e3978cc 100644
--- a/README_SETUP.md
+++ b/README_SETUP.md
@@ -75,7 +75,8 @@ server:
    - `keytool -genkey -keyalg RSA -alias selfsigned -keystore caosdb.jks -validity 375 -keysize 2048 -ext san=dns:localhost`
      Replace `localhost` by your host name, if you want.
    - `keytool -importkeystore -srckeystore caosdb.jks -destkeystore caosdb.p12 -deststoretype PKCS12 -srcalias selfsigned`
-   - `openssl pkcs12 -in caosdb.p12 -nokeys -out cert.pem`
+   - Export the public part only: `openssl pkcs12 -in caosdb.p12 -nokeys -out cert.pem`.
+	 The resulting ``cert.pem` can safely be given to users to allow ssl verification.
    - You can check the content of the certificate with `openssl x509 -in cert.pem -text`
 
    Alternatively, you can create a keystore from certificate files that you already have: