diff --git a/man/uki.conf.example b/man/uki.conf.example
new file mode 100644
index 0000000000..84a9f77b8d
--- /dev/null
+++ b/man/uki.conf.example
@@ -0,0 +1,14 @@
+[UKI]
+SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem
+SecureBootCertificate=/etc/kernel/secure-boot.cert.pem
+
+[PCRSignature:initrd]
+Phases=enter-initrd
+PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
+PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
+
+[PCRSignature:system]
+Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
+ enter-initrd:leave-initrd:sysinit:ready
+PCRPrivateKey=/etc/kernel/pcr-system.key.pem
+PCRPublicKey=/etc/kernel/pcr-system.pub.pem
diff --git a/man/ukify.xml b/man/ukify.xml
index 283d58b3b0..6895301d01 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -499,6 +499,36 @@ $ /usr/lib/systemd/ukify -c ukify.conf build \
This creates a signed PE binary that contains the additional kernel command line parameter
debug with SBAT metadata referring to the owner of the addon.
+
+
+ Decide signing policy and create certificate and keys
+
+ First, let's create an config file that specifies what signatures shall be made:
+
+ # cat >/etc/kernel/uki.conf <<EOF
+EOF
+
+ Next, we can generate the certificate and keys:
+ # /usr/lib/systemd/ukify genkey --config=/etc/kernel/uki.conf
+Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem
+Writing SecureBoot certicate to /etc/kernel/secure-boot.cert.pem
+Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem
+Writing public key for PCR signing to /etc/kernel/pcr-initrd.pub.pem
+Writing private key for PCR signing to /etc/kernel/pcr-system.key.pem
+Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
+
+
+ (Both operations need to be done as root to allow write access
+ to /etc/kernel/.)
+
+ Subsequent invocations of using the config file
+ (/usr/lib/systemd/ukify build --config=/etc/kernel/uki.conf)
+ will use this certificate and key files. Note that the
+ kernel-install8
+ plugin 60-ukify.install uses /etc/kernel/uki.conf
+ by default, so after this file has been created, installations of kernels that create a UKI on the
+ local machine using kernel-install would perform signing using this config.
+