1 files changed, 7 insertions, 5 deletions

diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst
index e2b64175..69cc5be0 100644
--- a/docs/x509/tutorial.rst
+++ b/docs/x509/tutorial.rst
@@ -11,13 +11,15 @@ When obtaining a certificate from a certificate authority (CA), the usual
 flow is:
 
 1. You generate a private/public key pair.
-2. You create a request for a certificate, which is signed by your key (to prove
-   that you own that key).
+2. You create a request for a certificate, which is signed by your key (to
+   prove that you own that key).
 3. You give your CSR to a CA (but *not* the private key).
 4. The CA validates that you own the resource (e.g. domain) you want a
    certificate for.
-5. The CA gives you a certificate, signed by them. Which identifies your public
+5. The CA gives you a certificate, signed by them, which identifies your public
    key, and the resource you are authenticated for.
+6. You configure your server to use that certificate, combined with your
+   private key, to server traffic.
 
 If you want to obtain a certificate from a typical commercial CA, here's how.
 First, you'll need to generate a private key, we'll generate an RSA key (these
@@ -45,8 +47,8 @@ are the most common types of keys on the web right now):
 If you've already generated a key you can load it with
 :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`.
 
-Next we need to generate a certificate signing request. A typical CSR contains a
-few details:
+Next we need to generate a certificate signing request. A typical CSR contains
+a few details:
 
 * Information about our public key (including a signature of the entire body).
 * Information about who *we* are.