diff --git a/doc/sample.config b/doc/sample.config
index 3eca96d2..95de86c3 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -115,7 +115,7 @@ run-as-group = daemon
 socket-file = /var/run/ocserv-socket
 
 # The default server directory. Does not require any devices present.
-#chroot-dir = /path/to/chroot
+#chroot-dir = /var/lib/ocserv
 
 # The key and the certificates of the server
 # The key may be a file, or any URL supported by GnuTLS (e.g., 
@@ -127,23 +127,25 @@ socket-file = /var/run/ocserv-socket
 # There may be multiple server-cert and server-key directives,
 # but each key should correspond to the preceding certificate.
 # The certificate files will be reloaded when changed allowing for in-place
-# certificate renewal (if both keys and certs change send the SIGHUP
-# signal to the main server).
+# certificate renewal (they are checked and reloaded periodically;
+# a SIGHUP signal to main server will force reload).
 
+#server-cert = /etc/ocserv/server-cert.pem
+#server-key = /etc/ocserv/server-key.pem
 server-cert = ../tests/certs/server-cert.pem
 server-key = ../tests/certs/server-key.pem
 
-# Diffie-Hellman parameters. Only needed if you require support
-# for the DHE ciphersuites (by default this server supports ECDHE).
+# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
+# versions of GnuTLS for supporting DHE ciphersuites.
 # Can be generated using:
-# certtool --generate-dh-params --outfile /path/to/dh.pem
-#dh-params = /path/to/dh.pem
+# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
+#dh-params = /etc/ocserv/dh.pem
 
 # In case PKCS #11, TPM or encrypted keys are used the PINs should be available
 # in files. The srk-pin-file is applicable to TPM keys only, and is the 
 # storage root key.
-#pin-file = /path/to/pin.txt
-#srk-pin-file = /path/to/srkpin.txt
+#pin-file = /etc/ocserv/pin.txt
+#srk-pin-file = /etc/ocserv/srkpin.txt
 
 # The password or PIN needed to unlock the key in server-key file.
 # Only needed if the file is encrypted or a PKCS #11 object. This
@@ -157,6 +159,7 @@ server-key = ../tests/certs/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
+#ca-cert = /etc/ocserv/ca.pem
 ca-cert = ../tests/certs/ca.pem
 
 
@@ -249,7 +252,7 @@ try-mtu-discovery = false
 # You can update this response periodically using:
 # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
 # Make sure that you replace the following file in an atomic way.
-#ocsp-response = /path/to/ocsp.der
+#ocsp-response = /etc/ocserv/ocsp.der
 
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN
@@ -268,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
 # See the manual to generate an empty CRL initially. The CRL will be reloaded
 # periodically when ocserv detects a change in the file. To force a reload use
 # SIGHUP.
-#crl = /path/to/crl.pem
+#crl = /etc/ocserv/crl.pem
 
 # Uncomment this to enable compression negotiation (LZS, LZ4).
 #compression = true