-However, in order for users to become authenticated, the server must
-determine that the user IDs on their keys have "full" validity. This
-means that the server must fully trust at least one person whose
-signature on the connecting user's key would validate the relevant
-user ID. The individuals trusted to identify users like this are
-known in the Monkeysphere as "Identity Certifiers". In a simple
-scenario, the host's administrator would be trusted identity certifer.
-If the admin's OpenPGP keyid is `$GPGID`, then on the server run:
+The server will use the Monkeysphere to look up matching OpenPGP
+certificates, validate them, and generate an `authorized_keys` file.
+
+To validate the OpenPGP certificates, the server needs to know who it
+can trust to correctly identify users. The individuals trusted to
+identify users like this are known in the Monkeysphere as "Identity
+Certifiers". One obvious choice is to trust *you*, the administrator,
+to be an Identity Certifier. If your OpenPGP keyid is `$GPGID`, then
+run the following command on the server:
+
+ # monkeysphere-authentication add-identity-certifier $GPGID
+
+You'll probably only set up Identity Certifiers when you set up the
+machine. After that, you'll only need to add or remove Identity
+Certifiers when the roster of admins on the machine changes, or when
+one of the admins switches OpenPGP keys.