-The bottom of the tab specifies the certificate and private key that
-is used to decrypt DCPs if they are imported as sources to
-DCP-o-matic. If you want to import an encrypted DCP you will need to
-give the decryption certificate to the distributor of the DCP so that
-they can generate a DKDM for you. As with the certificate chain,
-DCP-o-matic will create a certificate and private key for you. You
-can also choose to load your own certificate and key.
+Underneath the details of the certificate chain and private key for
+signing of DCPs and KDMs is a second chain and key which is used by
+DCP-o-matic when you import an encrypted DCP as a piece of content.
+The leaf certificate of this chain contains the public key that should
+be used when targeting a KDM at DCP-o-matic.
+</para>
+
+<para>
+If you want to import an encrypted DCP you will need to give the
+decryption certificate to the distributor of the DCP so that they can
+generate a DKDM for you. You can save this certificate to disk by
+clicking <guilabel>Export DCP decryption certificate</guilabel>. As
+with the signing chain, DCP-o-matic will create a certificate chain
+and private key for you. You can also choose to load your own
+certificates and key or re-make the chain and key with new, random
+values.