diff --git a/certidude/cli.py b/certidude/cli.py
index 56278cb..17f8f84 100755
--- a/certidude/cli.py
+++ b/certidude/cli.py
@@ -579,9 +579,13 @@ def certidude_setup_authority(parent, country, state, locality, organization, or
     with open(ca_key, "wb") as fh:
         fh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
 
-    click.echo("Insert following to /etc/ssl/openssl.cnf:")
+    with open(os.path.join(directory, "openssl.cnf.example"), "w") as fh:
+        fh.write(env.get_template("openssl.cnf").render(locals()))
+
+    click.echo("You need to copy the contents of the 'openssl.cnf.example'")
+    click.echo("to system-wide OpenSSL configuration file, usually located")
+    click.echo("at /etc/ssl/openssl.cnf")
     click.echo()
-    click.secho(env.get_template("openssl.cnf").render(locals()), fg="blue")
 
     click.echo()
     click.echo("Use following commands to inspect the newly created files:")
diff --git a/certidude/templates/openssl.cnf b/certidude/templates/openssl.cnf
index fe2f808..6b09e10 100644
--- a/certidude/templates/openssl.cnf
+++ b/certidude/templates/openssl.cnf
@@ -1,3 +1,6 @@
+# You have to copy the settings to the system-wide
+# OpenSSL configuration (usually /etc/ssl/openssl.cnf
+
 [CA_{{slug}}]
 default_crl_days = {{revocation_list_lifetime}}
 default_days = {{certificate_lifetime}}
@@ -38,3 +41,4 @@ emailAddress = optional
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation,digitalSignature,keyEncipherment
 extendedKeyUsage = clientAuth
+