From d41ab85a48b0a782320000960ddb01806d348b5a Mon Sep 17 00:00:00 2001
From: Dino8890 <dino8890@protonmail.com>
Date: Sat, 10 May 2025 15:42:04 +0200
Subject: [PATCH] Improved documentation for signing/encryption keys.

---
 docs/howto/config.rst | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/docs/howto/config.rst b/docs/howto/config.rst
index b3e3cb5e1..09bd3d03f 100644
--- a/docs/howto/config.rst
+++ b/docs/howto/config.rst
@@ -292,8 +292,8 @@ Example::
     key_file: "key.pem"
 
 *key_file* is the name of a PEM formatted file that contains the private key
-of the service. This is currently used both to encrypt/sign assertions and as
-the client key in an HTTPS session.
+of the service. This is currently used both to sign assertions and as
+the client key in an HTTPS (mutual TLS) session.
 
 cert_file
 ^^^^^^^^^
@@ -324,7 +324,14 @@ Example::
 encryption_keypairs
 ^^^^^^^^^^^^^^^^^^^
 
-Indicates which certificates will be used for encryption capabilities::
+A list of dictionaries, each containing paths to the private and public keys
+used for encryption. The *key_file* refers to the PEM-formatted file that
+contains the private key for the service, while the *cert_file* refers to the
+corresponding public key (certificate) from the service's key pair. Both files
+must be in PEM format, and the *cert_file* should contain only a single
+certificate.
+
+Example::
 
     # Encryption
     'encryption_keypairs': [