diff --git a/doc/source/admin/upgrades/major-upgrades.rst b/doc/source/admin/upgrades/major-upgrades.rst
index f250d7651d..a3c62ed7a6 100644
--- a/doc/source/admin/upgrades/major-upgrades.rst
+++ b/doc/source/admin/upgrades/major-upgrades.rst
@@ -151,6 +151,13 @@ Please review the contents of the playbook for more information.
 
     # openstack-ansible "${SCRIPTS_PATH}/upgrade-utilities/deploy-config-changes.yml"
 
+Update user_variables to set overrides for the location of any existing
+Ocatavia certificates.
+
+.. code-block:: console
+
+    # openstack-ansible "${SCRIPTS_PATH}/upgrade-utilities/define-octavia-certificate-vars.yml"
+
 Upgrade hosts
 ~~~~~~~~~~~~~
 
@@ -161,14 +168,14 @@ Before installing the infrastructure and OpenStack, update the host machines.
     Usage of non-trusted certificates for RabbitMQ is not possible
     due to requirements of newer ``amqp`` versions.
 
-The internal certificate authority must be updated for the upgraded
-release version. This does not regenerate or alter any existing CA certificates.
-New certificate chains may be generated at this stage to cover
-additional parts of the deployment secured using TLS in upgraded release.
+The SSH certificate authority must be updated for the upgraded release
+version. SSH certificates are used for nova live migration and keystone
+credential synchonrisation in the new release. This step ensures that
+the required CA is generated and available for other playbooks.
 
 .. code-block:: console
 
-    # openstack-ansible certificate-authority.yml
+    # openstack-ansible certificate-ssh-authority.yml
 
 Once CA is generated, we can proceed with standard OpenStack upgrade steps:
 
diff --git a/scripts/run-upgrade.sh b/scripts/run-upgrade.sh
index 8270d8c0a5..9a03505c8d 100755
--- a/scripts/run-upgrade.sh
+++ b/scripts/run-upgrade.sh
@@ -176,7 +176,6 @@ function main {
     pushd ${MAIN_PATH}/playbooks
         RUN_TASKS+=("${SCRIPTS_PATH}/upgrade-utilities/deploy-config-changes.yml")
         RUN_TASKS+=("${SCRIPTS_PATH}/upgrade-utilities/define-octavia-certificate-vars.yml")
-        RUN_TASKS+=("certificate-authority.yml")
         RUN_TASKS+=("certificate-ssh-authority.yml")
         # we don't want to trigger container restarts for galera and rabbit
         # but as there will be no hosts available for metal deployments,