diff --git a/README.md b/README.md
index bb7e445..cc51817 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,50 @@
 # gencert
 
-generates self-signed x509 with CA and IPs in SAN
\ No newline at end of file
+## Purpose
+  - This script will always produce a self-signed x509 certificate in the
+    current path with the IP addresses embedded to x509's SAN.
+    It will also produce a CA certificate and can be used by other services
+    which may need to authenticate against this self-signed certificate.
+    The authentication works in a way that a public CA certificate will be
+    used by the client in order to validate the server's certificate.
+
+## Application
+  Backend requiring x509 running behind reverse proxy
+  - This script has been created in order to ease the Minio's SSE-C
+    (Server Side Encryption - Customer provided keys) enablement when
+    Minio server is running as a backend behind a reverse proxy like Traefik.
+    Minio server enables SSE-C only when it detects the x509 certificates.
+    Traefik running with docker service provider talks to the backend using
+    the IP. The IP usually is not static, hence this script comes handy.
+
+## Example usage
+### Minio server with Traefik example
+
+  1. Replace "minio server" command with the following one:
+     - "cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server"
+  2. Copy the CA certificate "ca.crt" file to "/usr/local/share/ca-certificates/" and
+     run "update-ca-certificates" command which will update
+     "/etc/ssl/certs/ca-certificates.crt" file.
+  3. Restart Traefik.
+
+> NOTE: Steps 2. and 3. will need to be repeated each time you get a new CA
+>       certificate. Then they can be automated this way:
+>       - Start Traefik with this command:
+>         sh -c "update-ca-certificates && traefik"
+>         while "/usr/local/share/ca-certificates" path is a host mounted
+>         path with the CA certificate produced by this script.
+> NOTE: I am using Alpine Traefik image, the correct ca certificates path is
+>       "/usr/local/share/ca-certificates/", otherwise one of these
+>       https://golang.org/src/crypto/x509/root_linux.go
+
+## Script logic
+  - generate CA cert if does not find any.
+  - always generate server cert on startup to ensure all IP addresses are in
+    x509 SAN.
+  - warn if the CA cert about to expire (<30 days till expiration).
+  - regenerate the CA cert if it finds it has expired.
+
+## Notes
+  - The CA cert will be valid for 3650 days (10 years).
+  - The server cert will be valid for 365 days (1 year).
+  - The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures.
diff --git a/gencert.sh b/gencert.sh
index f9f3c3b..e229e8e 100755
--- a/gencert.sh
+++ b/gencert.sh
@@ -1,57 +1,10 @@
 #!/bin/sh
 # Filename: gencert.sh
-# Description: generates self-signed x509 with CA and IPs in SAN
+# Description: This script generates x509 server certificate (with all IPs in
+#              SAN) signed by a self-signed CA.
 # Version: 0.1 - 30 June 2018
 # Author: Andrey Arapov <andrey.arapov@nixaid.com>
 # License: GPLv3
-#
-# Purpose
-#   - This script will always produce a self-signed x509 certificate in the
-#     current path with the IP addresses embedded to x509's SAN.
-#     It will also produce a CA certificate and can be used by other services
-#     which may need to authenticate against this self-signed certificate.
-#     The authentication works in a way that a public CA certificate will be
-#     used by the client in order to validate the server's certificate.
-#
-# Application
-#   Backend requiring x509 running behind reverse proxy
-#   - This script has been created in order to ease the Minio's SSE-C
-#     (Server Side Encryption - Customer provided keys) enablement when
-#     Minio server is running as a backend behind a reverse proxy like Traefik.
-#     Minio server enables SSE-C only when it detects the x509 certificates.
-#     Traefik running with docker service provider talks to the backend using
-#     the IP. The IP usually is not static, hence this script comes handy.
-#
-# Example usage
-#   Minio server with Traefik example
-#   1. Replace "minio server" command with the following one:
-#      - "cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server"
-#   2. Copy the CA certificate "ca.crt" file to "/usr/local/share/ca-certificates/" and
-#      run "update-ca-certificates" command which will update
-#      "/etc/ssl/certs/ca-certificates.crt" file.
-#   3. Restart Traefik.
-#
-#   NOTE: Steps 2. and 3. will need to be repeated each time you get a new CA
-#         certificate. Then they can be automated this way:
-#         - Start Traefik with this command:
-#           sh -c "update-ca-certificates && traefik"
-#           while "/usr/local/share/ca-certificates" path is a host mounted
-#           path with the CA certificate produced by this script.
-#   NOTE: I am using Alpine Traefik image, the correct ca certificates path is
-#         "/usr/local/share/ca-certificates/", otherwise one of these
-#         https://golang.org/src/crypto/x509/root_linux.go
-#
-# Script logic
-#   - generate CA cert if does not find any.
-#   - always generate server cert on startup to ensure all IP addresses are in
-#     x509 SAN.
-#   - warn if the CA cert about to expire (<30 days till expiration).
-#   - regenerate the CA cert if it finds it has expired.
-#
-# Notes
-#   - The CA cert will be valid for 3650 days (10 years).
-#   - The server cert will be valid for 365 days (1 year).
-#   - The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures.
 
 ME=$(printf '%s\n' "${0##*/}")