diff --git a/docs/README_spice_encryption.md b/docs/README_spice_encryption.md
index 4cf4429da13bd3abd87d077b830d1ef41d78947a..253761439281b069890393c94b51d3bd7a13fb08 100644
--- a/docs/README_spice_encryption.md
+++ b/docs/README_spice_encryption.md
@@ -65,9 +65,9 @@ hostname --fqdn
 
 Using both template files, `gen-cert.sh` creates in the specified directory:
 
-- CA public key: `ca-cert.pem`
-- Server private key: `server-key.pem` (root-only access)
-- Server public key: `server-cert.pem`
+- The CA master certificate: `ca-cert.pem`
+- The server certificate signed with ca-cert.pem: `server-cert.pem`
+- The server private key: `server-key.pem` (root-only access)
 
 This directory must be passed in argument to QEMU in order to use SPICE with TLS.
 The `ca-key.pem` key is sensitive and required to generate other certificates. Ideally, it whould be stored offline.
@@ -104,11 +104,7 @@ More information on how to do it here: `https://ubuntu.com/server/docs/security-
 ## Server side certificate usage
 
 On the server side, SPICE can be configured to either use a password or not when establishing the connection.
-In both cases, a directory containing the following files must be specified to QEMU:
-
-- Server private key: `server-key.pem`
-- Server public key: `server-cert.pem`
-- CA public key: `ca-cert.pem`
+In both cases, a directory containing these 3 files, `ca-cert.pem, server-cert.pem, server-key.pem`, must be specified to QEMU.
 
 ### SPICE without password