diff --git a/webauthn-server-attestation/README.adoc b/webauthn-server-attestation/README.adoc
index 131ff7f3e..43f86b778 100644
--- a/webauthn-server-attestation/README.adoc
+++ b/webauthn-server-attestation/README.adoc
@@ -120,7 +120,7 @@ Breaking changes to these will NOT be reflected in version numbers.
 
 == Getting started
 
-Using this module consists of 4 major steps:
+Using this module consists of 5 major steps:
 
  1. Create a
     link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.4.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
@@ -218,13 +218,16 @@ RegistrationResult result = rp.finishRegistration(/* ... */);
 Set<MetadataBLOBPayloadEntry> metadata = mds.findEntries(result);
 ----------
 
-By default,
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.4.0/com/yubico/fido/metadata/FidoMetadataDownloader.html[`FidoMetadataDownloader`]
-will probably use the SUN provider for the `PKIX` certificate path validation algorithm.
-This requires the `com.sun.security.enableCRLDP` system property set to `true` in order to verify the BLOB signature.
+ 5. If you use the SUN provider for the `PKIX` certificate path validation algorithm, which many deployments do by default:
+    set the `com.sun.security.enableCRLDP` system property to `true`.
+    This is required for the SUN `PKIX` provider to support the CRL Distribution Points extension,
+    which is needed in order to verify the BLOB signature.
++
 For example, this can be done on the JVM command line using a `-Dcom.sun.security.enableCRLDP=true` option.
-See the https://docs.oracle.com/javase/9/security/java-pki-programmers-guide.htm#JSSEC-GUID-EB250086-0AC1-4D60-AE2A-FC7461374746[Java PKI Programmers Guide]
+See the https://docs.oracle.com/javase/9/security/java-pki-programmers-guide.htm#GUID-EB250086-0AC1-4D60-AE2A-FC7461374746__SECTION-139-623E860E[Java PKI Programmers Guide]
 for details.
++
+This step may not be necessary if you use a different provider for the `PKIX` certificate path validation algorithm.
 
 
 == Selecting trusted authenticators