diff --git a/docs/deployment.md b/docs/deployment.md
index ac3e6d9..b49d2c6 100644
--- a/docs/deployment.md
+++ b/docs/deployment.md
@@ -76,10 +76,10 @@ proxying](https://en.wikipedia.org/wiki/Reverse_proxy).
 
 Two bits of rationale:
 
-1) People usually want to have more than one site on their server. Put differently, we could
+1. People usually want to have more than one site on their server. Put differently, we could
 have [LetsEncrypt](https://letsencrypt.org/) inside the go-ssb-room server but it would have to
-listen on port :443—blocking the use of other domains on the same IP.  2) Listening on :443 can
-be pretty annoying (you might need root privileges or similar capabilities).
+listen on port :443—blocking the use of other domains on the same IP.  
+2. Listening on :443 can be pretty annoying (you might need root privileges or similar capabilities).
 
 go-ssb-room needs three headers to function properly, which need to be forwarded by the
 webserver.
@@ -95,6 +95,22 @@ follow the steps in [this
 article](https://medium.com/@alitou/getting-a-wildcard-ssl-certificate-using-certbot-and-deploy-on-nginx-15b8ffa34157),
 which uses the [certbot](https://certbot.eff.org/) utility.
 
+For example, to get a wildcard SSL certificate for `hermies.club`, we typically run
+
+```
+certbot certonly --manual --server https://acme-v02.api.letsencrypt.org/directory \
+  --preferred-challenges dns-01 \
+  -d 'hermies.club' -d '*.hermies.club'
+```
+
+(Replace `hermies.club` with your room's domain, of course)
+
+`certbot` will tell you to update TXT DNS records with the key `_acme-challenge.hermies.club` but be
+carefully with your DNS provider because you may have to input just `_acme-challenge` since the rest
+is often added automatically by your provider.
+
+When the process is complete with `certbot`, restart your server, e.g. `systemctl restart nginx`.
+
 ## Enable TCP ports
 
 For your room to fully work the following **TCP** ports need to be allowed:
@@ -134,3 +150,4 @@ example (with custom repo location, only needed if you setup your with a custom
 ```
 
 You can now login in the web-front-end using these credentials
+