diff --git a/docs/v2.0-be/deploy/ssl.md b/docs/v2.0-be/deploy/ssl.md
index a787831..cbf2abb 100644
--- a/docs/v2.0-be/deploy/ssl.md
+++ b/docs/v2.0-be/deploy/ssl.md
@@ -6,6 +6,9 @@ By default, Portainer’s web interface and API is exposed over HTTP. This is no
To do so, you can use the --ssl, --sslcert and --sslkey flags. Portainer expects certificates in PEM format.
+!!! note
+ When using your own externally-issued certificate, ensure you include the full certificate chain (including any intermediate certificates) in the file you provide via `--sslcert`. Without this you may face certificate validation issues. Your certificate chain can be obtained from your certificate issuer or via the [What's My Chain Cert?](https://whatsmychaincert.com/) website.
+
To generate and use a self-signed certificate you can use the following command on your server:
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout ~/local-certs/portainer.key -out ~/local-certs/portainer.crt
diff --git a/docs/v2.0/deploy/ssl.md b/docs/v2.0/deploy/ssl.md
index 1593c42..dc3fc17 100644
--- a/docs/v2.0/deploy/ssl.md
+++ b/docs/v2.0/deploy/ssl.md
@@ -6,6 +6,9 @@ By default, Portainer’s web interface and API is exposed over HTTP. This is no
To do so, you can use the --ssl, --sslcert and --sslkey flags. Portainer expects certificates in PEM format.
+!!! note
+ When using your own externally-issued certificate, ensure you include the full certificate chain (including any intermediate certificates) in the file you provide via `--sslcert`. Without this you may face certificate validation issues. Your certificate chain can be obtained from your certificate issuer or via the [What's My Chain Cert?](https://whatsmychaincert.com/) website.
+
To generate and use a self-signed certificate you can use the following command on your server:
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout ~/local-certs/portainer.key -out ~/local-certs/portainer.crt