diff --git a/examples/full-cluster-tf-upgrade/common-services/cert.tf b/examples/full-cluster-tf-upgrade/common-services/cert.tf
index 1202841..a6e3547 100644
--- a/examples/full-cluster-tf-upgrade/common-services/cert.tf
+++ b/examples/full-cluster-tf-upgrade/common-services/cert.tf
@@ -38,9 +38,18 @@ Now submit file to TCO for signing and return the result as below:
   dns  = ${local.ca_dns_name}
   csr  = certs/${local.ca_dns_name}.csr
 
-Ask for the certificate to be signed with the Linux (v2) PKI CA with the command:
+**IMPORTANT**
 
-% ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
+We are no longer issuing certificate from the Linux (v2) PKI, so you must request one from the MS CA.
+Ask for the certificate to be signed with the Microsoft (MS CA, v3) PKI CA with the command (Windows, PowerShell):
+
+  certreq -submit -attrib "CertificateTemplate:USCBSubordinateCertificationAuthority"  ${local.ca_dns_name}.csr  ${local.ca_dns_name}.cer
+
+It is very important that this certificate be issued as a Subordinate Certification Authority. The default method of a server certificate
+will fail and will cause a lot of issues.
+
+Further, you will NOT enable the download option with the MS CA.  If you receive a download link to ca.apps.tco.census.gov, do not attempt
+to proceed, and request the correctly-signed certificate as described above.
 
 EOM
 }