diff --git a/website/source/docs/secrets/pki/index.html.md b/website/source/docs/secrets/pki/index.html.md
index f0f9d13d8c..656a42281d 100644
--- a/website/source/docs/secrets/pki/index.html.md
+++ b/website/source/docs/secrets/pki/index.html.md
@@ -106,19 +106,6 @@ servers manually using the `config/urls` endpoint. It is supported to have more
than one of each of these by passing in the multiple URLs as a comma-separated
string parameter.
-### No OCSP support, yet
-
-Vault's architecture does not currently allow for a binary protocol such as
-OCSP to be supported by a backend. As such, you should configure your software
-to use CRLs for revocation information, with a caching lifetime that feels good
-to you. Since you are following the advice above about keeping lifetimes short
-(right?), CRLs should not grow too large, however, you can configure alternate
-CRL and/or OCSP servers using `config/urls` if you wish.
-
-If you are using issued certificates for client authentication to Vault, note
-that as of 0.4, the `cert` authentication endpoint supports being pushed CRLs,
-but it cannot read CRLs directly from this backend.
-
### Safe Minimums
Since its inception, this backend has enforced SHA256 for signature hashes
@@ -1142,6 +1129,16 @@ subpath for interactive help output.
`ec` keys. See https://golang.org/pkg/crypto/elliptic/#Curve
for an overview of allowed bit lengths for `ec`.
+
+ key_usage
+ optional
+ This sets the allowed key usage constraint on issued certificates. This
+ is a comma-separated string; valid values can be found at
+ https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the
+ `KeyUsage` part of the value. Values are not case-sensitive. To specify
+ no key usage constraints, set this to an empty string. Defaults to
+ `DigitalSignature,KeyAgreement,KeyEncipherment`.
+
use_csr_common_name
optional