diff --git a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
index bbe9cb9df..1494cd080 100644
--- a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
+++ b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
@@ -101,19 +101,26 @@ playbook are:
         use in an Intermediate |CA|.
 
         The duration of the Intermediate CA public certificate and private key
-        pair should be at least 3 years.  See *ca_duration* to modify this
-        semantic check.
+        pair should be at least 3 years.  See *rca_duration/ica_duration* to
+        modify this semantic check.
 
     ``system_root_ca_cert``
         The public certificate of the Root |CA| that signed
         ``system_local_ca_cert``.
 
-    ``ca_duration``
-        |CA| duration validation parameter. This will be used against
-        ``system_local_ca_cert`` and ``system_root_ca_cert`` to ensure that
-        they have sufficient duration remaining. It defaults to 3 years, as
-        this is typical for |CA| certificates and this certificate must be
-        renewed manually. Only override if necessary.
+    ``rca_duration``
+        |RCA| duration validation parameter. This will be used against
+        ``system_root_ca_cert`` to ensure that it have sufficient duration
+        remaining. It defaults to 3 years, as this is typical for |CA|
+        certificates and this certificate must be renewed manually. Only
+        override if necessary.
+
+    ``ica_duration``
+        |ICA| duration validation parameter. This will be used against
+        ``system_local_ca_cert`` to ensure that it have sufficient duration
+        remaining. It defaults to 3 years, as this is typical for |CA|
+        certificates and this certificate must be renewed manually. Only
+        override if necessary.
 
     ``system_platform_certificate.dns_domain``
         The |DNS| domain that will be used to build a full DNS name for the
@@ -201,18 +208,16 @@ playbook are:
 
     .. code-block:: none
 
-        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml -i migration-inventory.yml --extra-vars "target_list=localhost,subcloud1 mode=update ignore_alarms=yes" --ask-vault-pass
+        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml -i migration-inventory.yml --extra-vars "target_list=localhost,subcloud1 mode=update ignore_alarms=yes" --ask-vault-pass
 
     .. note::
 
         - In |prod-dc| systems, the playbook must be run from the System
           Controller, and the ``target_list`` parameter should be used to target
           the desired subclouds.
-        - The ``target_list`` parameter must include localhost within the
+        - The ``target_list`` parameter should include localhost within the
           targeted subcloud, to keep the certificates consistent with the
-          SystemController. In |prod-dc| systems, if localhost is not included
-          in the ``target_list`` parameter, the playbook can fail to install the
-          RCA certificate in the SystemController.
+          SystemController.
 
     The behavior of the update/migration can be customized using the following
     ``--extra-vars`` parameter options:
@@ -227,8 +232,8 @@ playbook are:
 
     ``target_list``
         * ``localhost``: Will target the localhost (standalone systems or
-          system controller). The ``target_list`` parameter must include at
-          least this value.
+          system controller). The ``target_list`` parameter should include
+          this value to keep consistency with the SystemController.
 
         * ``subcloud1``, ``subcloud2``: A comma separated list of hosts the
           playbook will target.
diff --git a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst
index d40e94220..d151dc49d 100644
--- a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst
+++ b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst
@@ -24,7 +24,7 @@ SystemController.
 .. note::
 
   In order to change or renew the ``system-local-ca`` Secret for signing, the
-  ``migrate_platform_certificates_to_certmanager.yml`` playbook MUST BE USED,
+  ``update_platform_certificates.yml`` playbook MUST BE USED,
   see :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`.
   This playbook will update the ``system-local-ca`` Secret and Issuer, re-sign
   all of the Platform Certificates using this issuer, and in a Distributed