Update advanced usage documentation

Signed-off-by: Ying Li <ying.li@docker.com>
notaryproject · Mar 7, 2016 · 684af0b · 684af0b
1 parent f9102e4
commit 684af0b
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/docs/advanced_usage.md b/docs/advanced_usage.md
@@ -90,11 +90,13 @@ subsection.
 In case of potential compromise, notary provides a CLI command for rotating keys. Currently, you can use the `notary key rotate` command to rotate the targets or snapshot keys.
 
 While the snapshot key is managed by the notary client by default, use the `notary key
-rotate -r` command to rotate the snapshot key to the server, such that the
+rotate snapshot -r` command to rotate the snapshot key to the server, such that the
 notary server will then sign snapshots. This is particularly useful when using
 delegations with a trusted collection, so that delegates will never need access to the
 snapshot key to push their updates to the collection.
 
+The targets key must be locally managed - to rotate the targets key, for instance in case of compromise, use the `notary key rotate targets` command without the `-r` flag.
+
 ### Use a Yubikey
 
 Notary can be used with [Yubikey
@@ -125,11 +127,10 @@ their own targets to the collection, since the server can publish the valid
 snapshot with the delegation targets:
 
 ```
-$ notary key rotate example.com/collection -r --key-type=snapshot
+$ notary key rotate example.com/collection snapshot -r
 ```
 
-Here, `-r` specifies to rotate the key to the remote server, and `--key-type` (shorthand `-t`)
-specifies the role.
+Here, `-r` specifies to rotate the key to the remote server.
 
 When adding a delegation, your must acquire a x509 certificate with the public
 key of the user you wish to delegate to. The user who will assume this
@@ -201,7 +202,7 @@ In the preceding example, you add the target `delegation/path/target` to
 collection `example/collections` staged for next publish. The file
 `delegation_file.txt` is a target `delegation/path/target` using the delegation
 role `targets/releases`. This target's path is valid because it is prefixed by
-the delegation role's valid path.  
+the delegation role's valid path.
 
 The `notary list` and `notary remove` commands can also take the `--roles` flag
 to specify roles to list or remove targets from.  By default, this operates over