elastic · lcawl · Jan 22, 2020 · Jan 20, 2020
diff --git a/docs/user/security/securing-communications/index.asciidoc b/docs/user/security/securing-communications/index.asciidoc
@@ -4,8 +4,9 @@
 <titleabbrev>Encrypting communications</titleabbrev>
 ++++
 
-{kib} supports Transport Layer Security (TLS/SSL) encryption for all forms of data-in-transit. Browsers send traffic to {kib} and {kib}
-sends traffic to {es}. These communications are configured separately.
+{kib} supports Transport Layer Security (TLS/SSL) encryption for all forms of
+data-in-transit. Browsers send traffic to {kib} and {kib} sends traffic to {es}.
+These communications are configured separately.
 
 [[configuring-tls-browser-kib]]
 ==== Encrypting traffic between the browser and {kib}
@@ -78,15 +79,18 @@ NOTE: To perform this step, you must
 {ref}/configuring-security.html[enable the {es} {security-features}] or you 
 must have a proxy that provides an HTTPS endpoint for {es}. 
 
-. Specify the HTTPS URL in the `elasticsearch.hosts` setting in the {kib} configuration file, `kibana.yml`:
+. Specify the HTTPS URL in the `elasticsearch.hosts` setting in the {kib}
+configuration file, `kibana.yml`:
 +
 --
 [source,yaml]
 --------------------------------------------------------------------------------
 elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]
 --------------------------------------------------------------------------------
 
-Using the HTTPS protocol results in a default `elasticsearch.ssl.verificationMode` option of `full`, which utilizes hostname verification.
+Using the HTTPS protocol results in a default
+`elasticsearch.ssl.verificationMode` option of `full`, which utilizes hostname
+verification.
 
 For more information, see <<settings,{kib} configuration settings>>. 
 --
@@ -95,24 +99,32 @@ For more information, see <<settings,{kib} configuration settings>>.
 +
 --
 
-If you are using your own CA to sign certificates for {es}, then you need to specify the CA certificate chain in {kib} to properly establish
-trust in TLS connections. If your CA certificate chain is contained in a PKCS #12 trust store, specify it like so:
+If you are using your own CA to sign certificates for {es}, then you need to
+specify the CA certificate chain in {kib} to properly establish trust in TLS
+connections. If your CA certificate chain is contained in a PKCS #12 trust store,
+specify it like so:
 
 [source,yaml]
 --------------------------------------------------------------------------------
 elasticsearch.ssl.truststore.path: "/path/to/your/truststore.p12"
 elasticsearch.ssl.truststore.password: "optional decryption password"
 --------------------------------------------------------------------------------
 
-Otherwise, if your CA certificate chain is in PEM format, specify each certificate like so:
+Otherwise, if your CA certificate chain is in PEM format, specify each
+certificate like so:
 
 [source,yaml]
 --------------------------------------------------------------------------------
 elasticsearch.ssl.certificateAuthorities: ["/path/to/your/cacert1.pem", "/path/to/your/cacert2.pem"]
 --------------------------------------------------------------------------------
 
+TIP: You can use the {ref}/certutil.html[`elasticsearch-certutil http` command]
+to generate a PEM format x.509 certificate for the {es} CA. It also provides
+detailed configuration details in readme files.
+
 --
 
-. (Optional) If the Elastic {monitor-features} are enabled, configure {kib} to connect to the {es} monitoring cluster via HTTPS. The steps
-are the same as above, but each setting is prefixed by `xpack.monitoring.`. For example, `xpack.monitoring.elasticsearch.hosts`,
+. (Optional) If the Elastic {monitor-features} are enabled, configure {kib} to
+connect to the {es} monitoring cluster via HTTPS. The steps are the same as
+above, but each setting is prefixed by `xpack.monitoring.`. For example, `xpack.monitoring.elasticsearch.hosts`,
 `xpack.monitoring.elasticsearch.ssl.truststore.path`, etc.