diff --git a/app/models/certificate.rb b/app/models/certificate.rb
index 59ccd1089..4d1095de4 100644
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@@ -152,7 +152,7 @@ class Certificate < ActiveRecord::Base
     end
 
     def reload_apache
-      `/etc/init.d/apache2 reload`
+      `sudo /etc/init.d/apache2 reload`
     end
   end
 end
diff --git a/config/application-example.yml b/config/application-example.yml
index 22760ee47..e2d7db61d 100644
--- a/config/application-example.yml
+++ b/config/application-example.yml
@@ -13,7 +13,7 @@ devise_secret: 'please-change-it-you-can-generate-it-with-rake-secret'
 
 # Admin server configuration:
 openssl_config_path: '/etc/ssl/openssl.cnf'
-crl_path:     '/home/registry/registry/shared/ca/crl/crl.pem'
+crl_dir:     '/home/registry/registry/shared/ca/crl'
 ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
 ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'
 ca_key_password: 'your-root-key-password'
diff --git a/doc/certificates.md b/doc/certificates.md
index c5c58463e..d5297da26 100644
--- a/doc/certificates.md
+++ b/doc/certificates.md
@@ -207,32 +207,26 @@ Cleanup:
 
     rm Juur-SK.pem.crt EE_Certification_Centre_Root_CA.pem.crt ESTEID-SK_2007.pem.crt ESTEID-SK_2011.pem.crt
 
-From registry's bin directory, copy update-crl script to somewhere else (so it won't get overwritten during deploys). Configure `CRL_PATH` in the script.
+Make sure you have this line in application.yml:
 
-    sudo ./update-crl
+    crl_dir: '/home/registry/registry/shared/ca/crl'
 
-Edit root's crontab:
+In rails console:
 
-    sudo crontab -e
+    Certificate.update_crl
 
-Add:
+Update whenever:
 
-    00 01,13 * * * path-to-your-script
+    
 
+Configure apache:
 
-Apache reload without password
-------------------------------
-
-Registrant and Registrar both should be able to reload Apache without password in order
-to refresh certificate deprication list for PKI and ID card.
-
-Example /etc/sudoers.d/apache2-no-password
-
-    username ALL=(ALL:ALL) ALL, NOPASSWD:/etc/init.d/apache2
-
-If this file is not preset, please create it with 'visudo'. All other edits should be done
-alse with 'visudo'
-
+    <Location /registrant/id>
+        SSLVerifyClient require
+        Options Indexes FollowSymLinks MultiViews
+        SSLVerifyDepth 2
+        SSLOptions +StdEnvVars +ExportCertData
+    </Location>
 
 Development env
 ---------------