Tweaks in HOW-TO-INSTALL for HARICA.

docs.d/HOW-TO-INSTALL.md

@@ -141,6 +141,7 @@ passphrase, and remember it, because you will need it soon.
 Also: make sure to download the `privateKey.pem` file that
 is offered, and keep it in a safe place.
 
+If you manually create the CSR on the server, you'll use the 'onionaddress.key' file generated by openssl.
 ## You will need to prove ownership of the site, to the CA
 
 For example: HARICA will tell you that you need to post 
@@ -169,6 +170,8 @@ eotk config projectname.conf && eotk nxreload projectname
 
 ...to install the URL handlers.
 
+HARICA has a process of validation which involves generating an onion-csr. You won't need to add anything to your configuration.
+
 ### Optional: what if you have multiple Onion addresses?
 
 You can put multiple `path,value` strings into `ssl_proof_csv`, space-separated; 
@@ -225,7 +228,7 @@ There are two steps to installation:
 
 Step 1: copy the PEM Bundle file from HARICA, on top of `ONIONADDRESS.onion.cert`
 
-Step 2: unlock and extract the private key, by doing:
+Step 2: unlock and extract (or rename) the private key, by doing:
 
 `openssl ec -in privateKey.pem -out ONIONADDRESS.onion.pem`
 
@@ -233,6 +236,9 @@ Step 2: unlock and extract the private key, by doing:
 if you chose to use RSA as the algorithm, you will need to use 
 `openssl rsa ...` instead.
 
+If you manually created the CSR, then rename the 'onionaddress.key' file
+the CSR generated to 'onionaddress.onion.pem'.
+
 Then: change directory back to the EOTK directory, 
 and do `eotk nxreload projectname`, and test it.