X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fman%2Fca.pod;h=93baab13ab60a7b574f9dddce9f430bd85e6df7b;hp=f1b7882f71df30ec28c79bd630c79fa5f30aa564;hb=53b1899e3cc0ef640643d52599ed94e6d89b20e1;hpb=174a4a8c899fcb7f553e56c095613f47fde5dc43

diff --git a/doc/man/ca.pod b/doc/man/ca.pod
index f1b7882f71..93baab13ab 100644
--- a/doc/man/ca.pod
+++ b/doc/man/ca.pod
@@ -130,7 +130,7 @@ for more information.
 
 =item B<-msie_hack>
 
-this is a legacy option for compatability with very old versions of
+this is a legacy option to make B<ca> work with very old versions of
 the IE certificate enrollment control "certenr3". It used UniversalStrings
 for almost everything. Since the old control has various security bugs
 its use is strongly discouraged. The newer control "Xenroll" does not
@@ -138,9 +138,11 @@ need this option.
 
 =item B<-preserveDN>
 
-this option is also for compatability with the older IE enrollment
-control. It only accepts certificates if their DNs match the
-order of the request. This is not needed for Xenroll.
+Normally the DN order of a certificate is the same as the order of the
+fields in the relevant policy section. When this option is set the order 
+is the same as the request. This is largely for compatability with the
+older IE enrollment control which would only accept certificates if their
+DNs match the order of the request. This is not needed for Xenroll.
 
 =item B<-batch>