diff --git a/Divorce-Your-Linux-Admin.rst b/Divorce-Your-Linux-Admin.rst
index 2c11de9..9a2a522 100644
--- a/Divorce-Your-Linux-Admin.rst
+++ b/Divorce-Your-Linux-Admin.rst
@@ -259,10 +259,29 @@
 +++++++++
 
 .. Note:: If you're doing this behind a proxy, you may need to
-           configure things to get around man-in-the middle madness
-           introduced by many enterprise proxies.  This is only for
-           the build phases, it is not needed to run the resulting
-           packages::
+          configure things to get around man-in-the middle madness
+          introduced by many enterprise proxies.  Things like ``curl``
+          need to verify certificates to initiate TLS transport.
+          System ``curl`` knows how to find the OS trust store,
+          but the ``curl`` we build with this procedure has its
+          own trust store that needs to be made aware of your
+          CA chain.
+
+          This procedure creates new ``openssl`` instances (1.0 and
+          1.1) they need to be made aware of your system's CA chain
+          right after they are installed.  The existing
+          ``.../tools/etc/openssl/cert.pem`` and
+          ``.../tools/etc/openssl@1.1/etc/cert.pem`` should be moved
+          to a backup name or location.  Then these names should be
+          symlinked to your sytem CA chain.  On a ``CentOS`` system
+          this is typically found at::
+
+            /etc/pki/ca-trust/expetracted/pem/tls-ca-bundle.pem
+
+          If you absolutely cannot get this working you can turn off
+          certificate validation *but this is highly discouraged*.  By
+          doing so, you can introduce code from illegitimate sources
+          this way::
 
              echo insecure >> ~/.curlrc
              git config --global http.sslVerify false