diff --git a/README.md b/README.md
index bc2b9af13..24740e064 100644
--- a/README.md
+++ b/README.md
@@ -186,98 +186,10 @@ All registry demo data can be found at:
 
 Initially you can use two type of users: admin users and EPP users.
 
-### CA
+### Certificates setup
 
-Go to registry shared folder and setup CA directory tree:
-```
-mkdir ca
-cd ca
-mkdir certs crl newcerts private csrs
-chmod 700 private
-touch index.txt
-echo 1000 > serial
-echo 1000 > crlnumber
-```
+* [Certificates setup](/doc/certificates.md)
 
-Generate the root key (prompts for pass phrase): 
-```
-openssl genrsa -aes256 -out private/ca.key.pem 4096
-```
-
-Configure OpenSSL:
-```
-sudo su -
-cd /etc/ssl/
-cp openssl.cnf openssl.cnf.bak
-nano openssl.cnf
-exit
-```
-
-Make sure the following options are in place:
-```
-[ CA_default ]
-# Where everything is kept
-dir = /home/registry/registry/shared/ca
-
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-basicConstraints=CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-[ v3_ca ]
-# Extensions for a typical CA
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-
-# For the CA policy
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-```
-
-Issue the root certificate (prompts for additional data):
-```
-openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
-chmod 444 certs/ca.crt.pem
-```
-
-Create a CSR for the webclient:
-```
-openssl genrsa -out private/webclient.key.pem 4096
-chmod 400 private/webclient.key.pem
-openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
-```
-
-Sign the request and create certificate:
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
-```
-
-Create certificate revocation list (prompts for pass phrase):
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
-```
-
-Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User.
-
-Private key and certificate must be packaged to pkcs12 and added to the browser.
-
-Make sure application configuration files contain correct paths to certificates.
-
-In test environment it's important to set unique_subject option to false.  
-In CA directory:
-```
-echo "unique_subject = no" > index.txt.attr
-```
 
 ### EPP web client
 
diff --git a/doc/certificate.md b/doc/certificate.md
index d0a2f78cd..c1131ed61 100644
--- a/doc/certificate.md
+++ b/doc/certificate.md
@@ -1,149 +1,151 @@
-Setting up certificates
------------------------
+Certificates setup
+------------------
 
-Go to registry shared folder and setup CA directory tree:
-```
-mkdir ca
-cd ca
-mkdir certs crl newcerts private csrs
-chmod 700 private
-touch index.txt
-echo 1000 > serial
-echo 1000 > crlnumber
-```
+Certificates for API Users are generated via registnry admin user interface. 
+CSR must be uploaded for each API User.
+
+Private key and certificate must be packaged to pkcs12 and added to user browser.
+
+
+### Registry setup
+
+Setup CA directory tree:
+
+    cd /home/registry/registry/shared
+    mkdir ca
+    cd ca
+    mkdir certs crl newcerts private csrs
+    chmod 700 private
+    touch index.txt
+    echo 1000 > serial
+    echo 1000 > crlnumber
 
 Generate the root key (prompts for pass phrase): 
-```
-openssl genrsa -aes256 -out private/ca.key.pem 4096
-```
+
+    openssl genrsa -aes256 -out private/ca.key.pem 4096
 
 Configure OpenSSL:
-```
-sudo su -
-cd /etc/ssl/
-cp openssl.cnf openssl.cnf.bak
-nano openssl.cnf
-exit
-```
+
+    sudo su -
+    cd /etc/ssl/
+    cp openssl.cnf openssl.cnf.bak
+    nano openssl.cnf
+    exit
 
 Make sure the following options are in place:
-```
-crl_extensions = crl_ext
 
-[ CA_default ]
-# Where everything is kept
-dir = /home/registry/registry/shared/ca
+    crl_extensions = crl_ext
 
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-basicConstraints=CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
+    [ CA_default ]
+    # Where everything is kept
+    dir = /home/registry/registry/shared/ca
 
-[ v3_ca ]
-# Extensions for a typical CA
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
+    [ usr_cert ]
+    # These extensions are added when 'ca' signs a request.
+    basicConstraints=CA:FALSE
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+    nsComment = "OpenSSL Generated Certificate"
+    subjectKeyIdentifier=hash
+    authorityKeyIdentifier=keyid,issuer
 
-# For the CA policy
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-```
+    [ v3_ca ]
+    # Extensions for a typical CA
+    subjectKeyIdentifier=hash
+    authorityKeyIdentifier=keyid:always,issuer
+    basicConstraints = CA:true
+    keyUsage = cRLSign, keyCertSign
+
+    # For the CA policy
+    [ policy_match ]
+    countryName             = optional
+    stateOrProvinceName     = optional
+    organizationName        = optional
+    organizationalUnitName  = optional
+    commonName              = supplied
+    emailAddress            = optional
 
 Issue the root certificate (prompts for additional data):
-```
-openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
-chmod 444 certs/ca.crt.pem
-```
+
+    openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
+    chmod 444 certs/ca.crt.pem
 
 Create a CSR for the webclient:
-```
-openssl genrsa -out private/webclient.key.pem 4096
-chmod 400 private/webclient.key.pem
-openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
-```
+
+    openssl genrsa -out private/webclient.key.pem 4096
+    chmod 400 private/webclient.key.pem
+    openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
 
 Sign the request and create certificate:
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
-chmod 444 certs/webclient.crt.pem
-```
+
+    openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
+    chmod 444 certs/webclient.crt.pem
 
 Create certificate revocation list (prompts for pass phrase):
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
-```
+
+    openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
 
 Configure EPP virtual host:
-```
-sudo nano /etc/apache2/sites-enabled/epp.conf
-```
+
+    sudo nano /etc/apache2/sites-enabled/epp.conf
 
 Replace this line:
-```
-SSLVerifyClient optional_no_ca
-```
+
+    SSLVerifyClient optional_no_ca
 
 With these lines:
-```
-  SSLVerifyClient require
-  SSLVerifyDepth 1
-  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
-  SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
-  # Uncomment this when upgrading to apache 2.4:
-  # SSLCARevocationCheck chain
-  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-```
+
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+    SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
+    # Uncomment this when upgrading to apache 2.4:
+    # SSLCARevocationCheck chain
+    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
 
 Configure webclient virtual host:
-```
-sudo nano /etc/apache2/sites-enabled/webclient.conf
-```
+
+    sudo nano /etc/apache2/sites-enabled/webclient.conf
 
 Add these lines:
-```
-  SSLVerifyClient none
-  SSLVerifyDepth 1
-  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
-  SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
-  # Uncomment this when upgrading to apache 2.4:
-  # SSLCARevocationCheck chain
 
-  RequestHeader set SSL_CLIENT_S_DN_CN ""
+    SSLVerifyClient none
+    SSLVerifyDepth 1
+    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+    SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
+    # Uncomment this when upgrading to apache 2.4:
+    # SSLCARevocationCheck chain
 
-  <Location /sessions/pki>
-    SSLVerifyClient require
-    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-  </Location> 
-```
+    RequestHeader set SSL_CLIENT_S_DN_CN ""
+
+    <Location /sessions/pki>
+      SSLVerifyClient require
+      RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+    </Location> 
 
 Reload apache:
-```
-sudo a2enmod headers
-sudo /etc/init.d/apache2 restart
-```
+
+    sudo a2enmod headers
+    sudo /etc/init.d/apache2 restart
 
 Configure registry and epp application.yml to match the CA settings:
-```
-ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
-ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
-ca_key_password: 'registryalpha'
-crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
-webclient_ip: '54.154.91.240'
-```
+
+    ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
+    ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
+    ca_key_password: 'registryalpha'
+    crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
+    webclient_ip: '54.154.91.240'
 
 Configure webclient application.yml to match the CA settings:
-```
-cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
-key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
-```
 
+    cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
+    key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
+
+Development env
+---------------
+
+In development environment it's convenient to set unique_subject option to false,
+thus you can generate quickly as many certs as you wish.
+
+In CA directory:
+
+    echo "unique_subject = no" > index.txt.attr