diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 76cc2bdc..9e50cf84 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -885,8 +885,8 @@ and they will send you the server certificate.
 Note that it is recommended to leave detailed personal information out of the
 certificate as it is sent in clear during TLS authentication. The following
 process generates a certificate and converts it to PKCS #12 that is protected
-by a PIN and most clients are able to import (the cipher arcfour is used in
-the example because although weak, it is supported by far more devices than
+by a PIN and most clients are able to import (the 3DES cipher is used in
+the example because it is supported by far more devices than
 AES).
 
 @example
@@ -894,7 +894,7 @@ $ certtool --generate-privkey --outfile user-key.pem
 $ cat << _EOF_ >user.tmpl
 cn = "user"
 unit = "admins"
-expiration_days = 9999
+expiration_days = 365
 signing_key
 tls_www_client
 _EOF_
@@ -910,10 +910,11 @@ $ certtool --to-p12 --load-privkey user-key.pem \
 @end example
 
 @subheading Revoking a client certificate
-To revoke the previous client certificate use:
+To revoke the previous client certificate, i.e., preventing the user from
+accessing the VPN resources prior to its certificate expiration, use:
 @example
 $ cat << _EOF_ >crl.tmpl
-crl_next_update = 9999
+crl_next_update = 365
 crl_number = 1
 _EOF_
 $ cat user-cert.pem >>revoked.pem