diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 8f02c99..80287b6 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -36,10 +36,12 @@
     vault write pki_int/roles/servers_default \
         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
         allow_ip_sans=true \
-        allowed_domains="unkin.net,prod*" \
+        allowed_domains="unkin.net, *.unkin.net, localhost" \
         allow_subdomains=true \
-        allow_bare_domains=true \
         allow_glob_domains=true \
+        allow_bare_domains=true \
+        enforce_hostnames=true \
+        allow_any_name=true \
         max_ttl="2160h" \
         key_bits=4096 \
         country="Australia"
@@ -49,7 +51,6 @@
     vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
     vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
 
-
 # remove expired certificates
     vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true