diff --git a/.gitignore b/.gitignore
index 7f705cb07..b7ebd630e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,7 @@ config/application.yml
 config/secrets.yml
 config/database.yml
 /export
+/ca
 
 ## Environment normalisation:
 /.bundle
diff --git a/README.md b/README.md
index bc2b9af13..24740e064 100644
--- a/README.md
+++ b/README.md
@@ -186,98 +186,10 @@ All registry demo data can be found at:
 
 Initially you can use two type of users: admin users and EPP users.
 
-### CA
+### Certificates setup
 
-Go to registry shared folder and setup CA directory tree:
-```
-mkdir ca
-cd ca
-mkdir certs crl newcerts private csrs
-chmod 700 private
-touch index.txt
-echo 1000 > serial
-echo 1000 > crlnumber
-```
+* [Certificates setup](/doc/certificates.md)
 
-Generate the root key (prompts for pass phrase): 
-```
-openssl genrsa -aes256 -out private/ca.key.pem 4096
-```
-
-Configure OpenSSL:
-```
-sudo su -
-cd /etc/ssl/
-cp openssl.cnf openssl.cnf.bak
-nano openssl.cnf
-exit
-```
-
-Make sure the following options are in place:
-```
-[ CA_default ]
-# Where everything is kept
-dir = /home/registry/registry/shared/ca
-
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-basicConstraints=CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-[ v3_ca ]
-# Extensions for a typical CA
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-
-# For the CA policy
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-```
-
-Issue the root certificate (prompts for additional data):
-```
-openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
-chmod 444 certs/ca.crt.pem
-```
-
-Create a CSR for the webclient:
-```
-openssl genrsa -out private/webclient.key.pem 4096
-chmod 400 private/webclient.key.pem
-openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
-```
-
-Sign the request and create certificate:
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
-```
-
-Create certificate revocation list (prompts for pass phrase):
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
-```
-
-Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User.
-
-Private key and certificate must be packaged to pkcs12 and added to the browser.
-
-Make sure application configuration files contain correct paths to certificates.
-
-In test environment it's important to set unique_subject option to false.  
-In CA directory:
-```
-echo "unique_subject = no" > index.txt.attr
-```
 
 ### EPP web client
 
diff --git a/config/application-example.yml b/config/application-example.yml
index 4ac8d0ddb..f5b0bf2ac 100644
--- a/config/application-example.yml
+++ b/config/application-example.yml
@@ -7,10 +7,15 @@ defaults: &defaults
   # If you change this key, all old signed cookies will become invalid!
   secret_key_base: please-change-it-you-can-generate-it-with-rake-secret
   devise_secret: please-change-it-you-can-generate-it-with-rake-secret
-  ca_cert_path: ca-cert-path-here
-  ca_key_path: ca-key-path-here
-  ca_key_password: ca-key-pass-phrase-here
-  crl_path: crl-path-here
+
+  # Used by registry admin server:
+  crl_path:     '/home/registry/registry/shared/ca/crl/crl.pem'
+  ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
+  ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'
+  ca_key_password: 'your-root-key-password'
+
+  # Used by EPP server
+  webclient_ip: '54.154.91.240'
 
 development:
   <<: *defaults
diff --git a/doc/certificate.md b/doc/certificate.md
index d0a2f78cd..bf222a5e2 100644
--- a/doc/certificate.md
+++ b/doc/certificate.md
@@ -1,149 +1,173 @@
-Setting up certificates
------------------------
+Certificates setup
+------------------
 
-Go to registry shared folder and setup CA directory tree:
-```
-mkdir ca
-cd ca
-mkdir certs crl newcerts private csrs
-chmod 700 private
-touch index.txt
-echo 1000 > serial
-echo 1000 > crlnumber
-```
+Guide to setup all registry/epp/repp, webclient and api user certificates.
 
-Generate the root key (prompts for pass phrase): 
-```
-openssl genrsa -aes256 -out private/ca.key.pem 4096
-```
+There are three type of certificates:
+
+* root cert (one time action using command line)
+* webclient server cert (one time action using command line)
+* api user cert (multiple actions through admin interface)
+
+API users CSR are uploaded through registry admin interface for each API user.
+
+Private key and certificate must be packaged to pkcs12 and added to user browser.
+
+
+### Registry setup
 
 Configure OpenSSL:
-```
-sudo su -
-cd /etc/ssl/
-cp openssl.cnf openssl.cnf.bak
-nano openssl.cnf
-exit
-```
+
+    sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
+    sudo vi /etc/ssl/openssl.cnf
 
 Make sure the following options are in place:
-```
-crl_extensions = crl_ext
 
-[ CA_default ]
-# Where everything is kept
-dir = /home/registry/registry/shared/ca
+    [ CA_default ]
+    # Where everything is kept
+    dir = /home/registry/registry/shared/ca                       # around line nr 42
 
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-basicConstraints=CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
+    crl_extensions = crl_ext                                      # around line nr 71
 
-[ v3_ca ]
-# Extensions for a typical CA
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
+    # For the CA policy
+    [ policy_match ]
+    countryName             = optional                            # around line nr 85
+    stateOrProvinceName     = optional                            # around line nr 86
+    organizationName        = optional                            # around line nr 87
+    organizationalUnitName  = optional                            # around line nr 88
+    commonName              = supplied                            # around line nr 89
+    emailAddress            = optional                            # around line nr 90
 
-# For the CA policy
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-```
+    [ usr_cert ]
+    # These extensions are added when 'ca' signs a request.
+    basicConstraints=CA:FALSE                                     # around line nr 170
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment  # around line nr 188
+    nsComment = "OpenSSL Generated Certificate"                   # around line nr 191
+    subjectKeyIdentifier=hash                                     # around line nr 194
+    authorityKeyIdentifier=keyid,issuer                           # around line nr 195
 
-Issue the root certificate (prompts for additional data):
-```
-openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
-chmod 444 certs/ca.crt.pem
-```
+    [ v3_ca ]
+    # Extensions for a typical CA
+    subjectKeyIdentifier=hash                                     # around line nr 232
+    authorityKeyIdentifier=keyid:always,issuer                    # around line nr 234
+    basicConstraints = CA:true                                    # around line nr 240
+    keyUsage = cRLSign, keyCertSign                               # around line nr 245
 
-Create a CSR for the webclient:
-```
-openssl genrsa -out private/webclient.key.pem 4096
-chmod 400 private/webclient.key.pem
-openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
-```
+Setup CA directory in shared directory:
 
-Sign the request and create certificate:
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
-chmod 444 certs/webclient.crt.pem
-```
+    cd /home/registry/registry/shared
+    mkdir ca
+    cd ca
+    mkdir certs crl newcerts private csrs
+    chmod 700 private
+    touch index.txt
+    echo 1000 > serial
+    echo 1000 > crlnumber
+
+Generate the root key and remember your password, you need it later in application.yml: 
+
+    openssl genrsa -aes256 -out private/ca.key.pem 4096
+
+Create root registry certificate (prompts for additional data and review days flag):
+
+    openssl req -new -x509 -days 3653 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
+    chmod 444 certs/ca.crt.pem
+
+Create a webclient key and CSR for accepting webclient request:
+
+    openssl genrsa -out private/webclient.key.pem 4096
+    chmod 400 private/webclient.key.pem
+    openssl req -sha256 -new -days 3653 -key private/webclient.key.pem -out csrs/webclient.csr.pem
+
+Sign CSR and create certificate:
+
+    openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -days 3653 -out certs/webclient.crt.pem
+    chmod 444 certs/webclient.crt.pem
 
 Create certificate revocation list (prompts for pass phrase):
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
-```
 
-Configure EPP virtual host:
-```
-sudo nano /etc/apache2/sites-enabled/epp.conf
-```
+    openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
+
+Configure registry registry/shared/config/application.yml to match the CA settings:
+
+    ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
+    ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
+    ca_key_password: 'your-root-key-password'
+    crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
+
+
+### Registry EPP setup
+
+Configure registry epp registry-epp/shared/config/application.yml:
+
+    webclient_ip: '54.154.91.240'
+
+Configure EPP port 700 virtual host:
+
+    sudo vi /etc/apache2/sites-enabled/epp.conf
 
 Replace this line:
-```
-SSLVerifyClient optional_no_ca
-```
+
+    SSLVerifyClient optional_no_ca
 
 With these lines:
-```
-  SSLVerifyClient require
-  SSLVerifyDepth 1
-  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
-  SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
-  # Uncomment this when upgrading to apache 2.4:
-  # SSLCARevocationCheck chain
-  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-```
 
-Configure webclient virtual host:
-```
-sudo nano /etc/apache2/sites-enabled/webclient.conf
-```
-
-Add these lines:
-```
-  SSLVerifyClient none
-  SSLVerifyDepth 1
-  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
-  SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
-  # Uncomment this when upgrading to apache 2.4:
-  # SSLCARevocationCheck chain
-
-  RequestHeader set SSL_CLIENT_S_DN_CN ""
-
-  <Location /sessions/pki>
     SSLVerifyClient require
+    SSLVerifyDepth 1
+    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+    SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
+    # Uncomment this when upgrading to apache 2.4:
+    # SSLCARevocationCheck chain
     RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-  </Location> 
-```
 
 Reload apache:
-```
-sudo a2enmod headers
-sudo /etc/init.d/apache2 restart
-```
 
-Configure registry and epp application.yml to match the CA settings:
-```
-ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
-ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
-ca_key_password: 'registryalpha'
-crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
-webclient_ip: '54.154.91.240'
-```
+    sudo a2enmod headers
+    sudo /etc/init.d/apache2 restart
 
-Configure webclient application.yml to match the CA settings:
-```
-cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
-key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
-```
 
+### Webclient setup
+
+Copy all registry/shared/ca directory to your webclient server if webclient is in different server,
+otherwise just point everything to your registry/shared/ca directory.
+
+Configure webclient/shared/config/application.yml to match the CA settings:
+
+    cert_path: '/home/webclient/webclient/shared/ca/certs/webclient.crt.pem'
+    key_path:  '/home/webclient/webclient/shared/ca/private/webclient.key.pem'
+
+Configure webclient virtual host:
+
+    sudo vi /etc/apache2/sites-enabled/webclient.conf
+
+Add these lines:
+
+    SSLVerifyClient none
+    SSLVerifyDepth 1
+    SSLCACertificateFile /home/webclient/webclient/shared/ca/certs/ca.crt.pem
+    SSLCARevocationFile  /home/webclient/webclient/shared/ca/crl/crl.pem
+    # Uncomment this when upgrading to apache 2.4:
+    # SSLCARevocationCheck chain
+
+    RequestHeader set SSL_CLIENT_S_DN_CN ""
+
+    <Location /sessions/pki>
+      SSLVerifyClient require
+      RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+    </Location> 
+
+Reload apache:
+
+    sudo a2enmod headers
+    sudo /etc/init.d/apache2 restart
+
+
+Development env
+---------------
+
+In development environment it's convenient to set unique_subject option to false,
+thus you can generate quickly as many certs as you wish.
+
+In CA directory:
+
+    echo "unique_subject = no" > index.txt.attr