diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 17e662b562a68ad5cf09b4877063eecc36a6e77b..fef670df547d172480d0c4d8b6debcc7cbf3312c 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -834,6 +834,18 @@ The role implements the following:
 * Sets-up the Debian backports repository and pins the ``lua-ldap``
   package to it (needed for Lua 5.2 support with Prosody 0.11).
 * Deploys XMPP TLS private key and certificate.
+
+  .. warning::
+     The issued certificate must have multiple FQDNs listed as subject
+     alternative names (DNS names) for each configured domain:
+
+     - domain itself
+     - ``conference.DOMAIN``
+     - ``proxy.DOMAIN``
+
+     A daily cron job is run to validate that all certificates have
+     been configured and issued correctly.
+
 * Installs Prosody.
 * Configures Prosody.
 * Configures firewall to allow incoming connections to the XMPP server.