update instructions

examples/full-cluster-tf-upgrade/1.24/common-services/cert.tf

@@ -36,23 +36,25 @@ Ask for the certificate to be signed with the Linux (v2) PKI CA with the command
 EOM
 
   v3_certificate_csr_message = <<EOM
-Now submit file to TCO under [Server Certificate](https://dwp.census.gov/dwp/app/#/itemprofile/120) for signing and return the result as below:
+Now submit file to TCO under [Server Certificate](https://dwp.census.gov/dwp/app/#/itemprofile/120) for signing and return the result as below.  Please
+be sure to ask for it to be signed by one of the two **US Census Bureau CA Issuing CA{n}** systems.
 
   dns  = ${local.ca_dns_name}
   csr  = certs/${local.ca_dns_name}.csr
 
 **IMPORTANT**
 
 We are no longer issuing certificate from the Linux (v2) PKI, so you must request one from the MS CA.
-Ask for the certificate to be signed with the Microsoft (MS CA, v3) PKI CA with the command (Windows, PowerShell):
+Ask for the certificate to be signed with one of the Microsoft (MS CA, v3) PKI CA Issuer CAs with the command (Windows, PowerShell):
 
   certreq -submit -attrib "CertificateTemplate:USCBSubordinateCertificationAuthority"  ${local.ca_dns_name}.csr  ${local.ca_dns_name}.cer
 
 It is very important that this certificate be issued as a Subordinate Certification Authority. The default method of a server certificate
 will fail and will cause a lot of issues.
 
 Further, you will NOT enable the download option with the MS CA.  If you receive a download link to ca.apps.tco.census.gov, do not attempt
-to proceed, and request the correctly-signed certificate as described above.
+to proceed, and request the correctly-signed certificate as described above.  There is no download capability for certificates issued by the
+CA Issuing CAs.
 EOM
 }