diff --git a/tls_docs/ca/certificate_signing.md b/tls_docs/ca/certificate_signing.md
index df86083..e9ec17e 100644
--- a/tls_docs/ca/certificate_signing.md
+++ b/tls_docs/ca/certificate_signing.md
@@ -1,6 +1,6 @@
 # Signing certificates for users and servers
 
-Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the `Inspect the CSR` section. ***THE CSR MUST BE VERIFIED PRIOR TO SIGNING THE CERTIFICATE***.
+Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the `Inspect the CSR` section. ***IT IS IMPORTANT TO INSPECT CSRs PROVIDED EXTERNALLY BEFORE SIGNING EVEN THOUGH THE CERTIFICATE CAN BE INSPECTED BEFORE SIGNING***.
 
 ### Generate the key (the -aes256 can be omitted to not require a password)
 ```
@@ -35,22 +35,22 @@ openssl req -new -sha256 \
     -out domain.csr # provide this to the CA for signing
 ```
 
-### Inspect the CSR
+### Verify the CSR
+
 ```
-openssl req -in csr/siging-request.csr -noout -text
+openssl req -in csr/server.csr -noout -text
 ```
 
 ### Sign the certificate
 ```
-openssl x509 -req -in csr/server.csr -CA certs/intermediate-ca.crt -CAkey private/intermediate-ca.key -CAcreateserial -out certs/server.crt -days 370 -copy_extensions copy
+openssl ca -config intermediate.cnf -extensions server_cert -days <#-of-days> -notext -md sha256 -in csr/server.csr -out certs/server.crt 
+
 ```
 
-The *-CAcreateserial* will create a serial file to track each created certificate. The *-copy_extensions copy* option will copy the SANs that were specified in the CSR. Some applications require the use of a SAN over the Common Name (CN)
-
+The certificate to be signed will be sent to stdout after providing the password, which can be inspected to ensure it is correct. Select y to sign it and y again to add to the index database
 
 ### Verify the certificate and trust chain
 ```
-openssl x509 -noout -text -in certs/server.crt
 openssl verify -CAfile certs/ca-bundle.crt certs/server.crt
 ```
 The `verify` command should return OK, verifying the trust chain.
diff --git a/tls_docs/ca/intermediate.cnf b/tls_docs/ca/intermediate.cnf
index 0d7b2d6..335ed9b 100644
--- a/tls_docs/ca/intermediate.cnf
+++ b/tls_docs/ca/intermediate.cnf
@@ -27,6 +27,7 @@ cert_opt          = ca_default
 default_days      = 375
 preserve          = no
 policy            = policy_loose
+copy_extensions   = copy
 
 [ policy_strict ]