diff --git a/document_root/faq.html b/document_root/faq.html
index 0fe9903..cca7cef 100644
--- a/document_root/faq.html
+++ b/document_root/faq.html
@@ -65,15 +65,6 @@ other head content must come *after* these tags -->
       <p class="lead">Can I use this certificate on my commerce website?</p>
       <p>Although there's no technical reason why you couldn't use the sslip.io SSL key and certificate for your commerce web, we <i>strongly</i> recommend against it: the key is publicly available; your traffic isn't secure. sslip.io's primary purpose is
         to assist developers who need to test against valid SSL certs, not to safeguard content.</p>
-      <p class="lead">What is the sslip.io certificate chain?
-      </p>
-      <p>The sslip.io certificate chain looks like the following:</p>
-      <div class="col-sm-12">
-        <img src="img/cert_chain.png" height="206" /> </div>
-      <div class="row"></div>
-      <p></p>
-      <p>Note that the "root" certificate is "AddTrust's External CA Root", which issued a certificate to the "COMODO RSA Certification Authority", which in turn issued a certificate to the "COMODO RSA Domain Validation Secure Server CA" which in turn issued
-        our certificate, "*.sslip.io".</p>
       <p class="lead">My webserver wants a certificate and an "intermediate certificate chain"&mdash;where do I get that?
       </p>
       <p>Certain web servers (e.g. <a href="http://www.tenable.com">Tenable's</a> <a href="http://www.tenable.com/products/nessus-vulnerability-scanner">Nessus</a> scanner) prefer to split the chained certificate file (which has three concatenated certificates)
@@ -85,19 +76,32 @@ other head content must come *after* these tags -->
         </li>
         <li>the intermedicate certificate <a href="https://raw.githubusercontent.com/cunnie/sslip.io/master/ssl/intermediate-ca.crt.pem">chain</a> (the COMODO CAs)</li>
       </ul>
-      <p class="lead">Why don't you include "AddTrust External CA Root"'s root certificate in your chain?</p>
-      <p>Certain people consider it bad taste to include the root certificate in the .pem chain. Really. And the root certificate doesn't need to be there: it's already installed in the system (and sometimes in the browser). </p>
       <p class="lead">Why can't I use dots in my hostname? xip.io lets me use dots.
       </p>
-      <p class="lead">Do I have to use the sslip.io domain? I'd rather have a valid cert for my domain.</p>
-      <p>If you want valid SSL certificate, and you don't want to use the sslip.io domain, then you'll need to purchase a certificate for your domain. We purchased ours from <a href="https://www.cheapsslshop.com">Cheap SSL Shop</a>, but use a vendor with
-        whom you're comfortable. </p>
-      <p class="lead"></p>
+      <p>You can't have dots, but you can have dashes: for example, "www-sf-ca-us-10-9-9-142.sslip.io" will work with sslip.io's wildcard SSL certificate, but "www.sf.ca.us.10.9.9.142.sslip.io" will not. This is a technical limitation of wildcard certs and the manner in which browser treat them (read more <a href="http://security.stackexchange.com/questions/10538/what-certificates-are-needed-for-multi-level-subdomains">here</a>). This restricts sslip.io's usage model. For example, it won't work properly with Cloud Foundry's app domain or system domain.
+      <p class="lead">Can you make the hostnames easier to remember? I'm being force to memorize IP addresses.</p>
+      <p>Unfortunately, no. We appreciate that "52-0-56-137.sslip.io" is not an easy-to-remember hostname, whereas
+      something along the lines of
+      "aws-server.sslip.io" would be much simpler, but we don't see any easy solution&mdash;we need to be
+      able to extract the IP address from the hostname in order for our DNS nameserver to reply with the proper
+      address when queried.</p>
       <p class="lead">Do you have support for IPv6-style addresses?</p>
-      <p>Not yet, but if there's enough demand for it, we might try implementing it.</p>
+      <p>Not yet, but if there's enough demand for it we might try implementing it.</p>
       <p class="lead">Why did you choose a 4096-bit key instead of a 2048-bit key?</p>
       <p>We couldn't help ourselves&mdash;when it comes to keys, longer is better. In retrospect there were flaws in our thinking: certain hardware devices, e.g. YubiKeys, only support keys of length 2048 bits or less. Also, there was no technical value
         in making a long key&mdash;it's publicly available on GitHub, so a zero-bit key would have been equally secure.</p>
+      <p class="lead">Do I have to use the sslip.io domain? I'd rather have a valid cert for my domain.</p>
+      <p>If you want valid SSL certificate, and you don't want to use the sslip.io domain, then you'll need to purchase a certificate for your domain. We purchased ours from <a href="https://www.cheapsslshop.com">Cheap SSL Shop</a>, but use a vendor with
+        whom you're comfortable. </p>
+      <p class="lead">What is the sslip.io certificate chain?
+      </p>
+      <p>The sslip.io certificate chain is the series of certificates, each signing the next, with a root certificate at the top. It looks like the following:</p>
+      <div class="col-sm-12">
+        <img src="img/cert_chain.png" height="206" /> </div>
+      <div class="row"></div>
+      <p></p>
+      <p>Note that the "root" certificate is "AddTrust's External CA Root", which issued a certificate to the "COMODO RSA Certification Authority", which in turn issued a certificate to the "COMODO RSA Domain Validation Secure Server CA" which in turn issued
+        our certificate, "*.sslip.io".</p>
       <p class="lead">Where do I report bugs? I think I found one.</p>
       <p>Open an issue on <a href="https://github.com/cunnie/sslip.io/issues">GitHub</a>; we're tracking our issues there.</p>
       <p class="lead">There's a typo/mistake on the sslip.io website.