diff --git a/docs/security/tls.md b/docs/security/tls.md
index 59d06ff..829568a 100644
--- a/docs/security/tls.md
+++ b/docs/security/tls.md
@@ -159,7 +159,7 @@ _acme-challenge.forums IN  CNAME _acme-challenge.forums.acme.centos.org.
 Now on certbot node, we can just ask acme.sh to dynamically update acme.centos.org with our ddns.key file (already present) that is permitted to update the acme.centos.org and instruct acme.sh that while asking for a record in centos.org, it has to update other TXT record for the 'acme-challenge' record
 
 ```
-acme.sh --issue --dns dns_nsupdate -d forums.centos.org --challenge-alias forums.acme.centos.org
+acme.sh --issue --keylength 2048 --dns dns_nsupdate -d forums.centos.org --challenge-alias forums.acme.centos.org
 ```
 
 Let's see what this produces on our DNS node, basically updating TXT record:
@@ -198,7 +198,7 @@ And back on the certbot node, where it just updates, then waits and finalizes th
 PS : for a wildcard, just add multiple -d and `*.domain`
 
 ```
-acme.sh --issue --dns dns_nsupdate -d stg.centos.org -d '*.stg.centos.org' --challenge-alias stg.acme.centos.org
+acme.sh --issue --keylength 2048 --dns dns_nsupdate -d stg.centos.org -d '*.stg.centos.org' --challenge-alias stg.acme.centos.org
 ```
 All certs/keys obtained through acme are under /root/.acme.sh/{hostname}/ so you'll then have to import those into this pkistore dir
 
@@ -211,7 +211,7 @@ Normally we prefer DNS challenge, but there are corner cases like delegated reco
 You can add multiple SANs in the same certs. Here is one example with buildlogs.centos.org and SAN cloud.centos.org :
 
 ```
-acme.sh --issue -d buildlogs.centos.org -d cloud.centos.org -w /var/www/html/
+acme.sh --issue --keylength 2048 -d buildlogs.centos.org -d cloud.centos.org -w /var/www/html/
 
 ```
 All files (certs/keys) are then available under /root/.acme.sh/{hostname} (you'll have to import those into this pkistore dir)