diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 2f5c30d12..271a0d455 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -185,6 +185,7 @@ anchors for PKINIT KDC certificates.
 .It Li pkinit_revoke = Va HX509-STORE ...
 This is a multi-valued parameter naming one or more stores of
 CRLs for the issuers of PKINIT KDC certificates.
+Only the first valid CRL for a particular issuer will be checked.
 If no CRLs are configured, then CRLs will not be checked.
 This is because hx509 currently lacks support.
 .El
@@ -905,6 +906,7 @@ type stores are OpenSSL-style CA certificate hash directories.
 .It Li pkinit_revoke = Va HX509-STORE ...
 This is a multi-valued parameter naming one or more stores of
 CRLs for the issuers of PKINIT client certificates.
+Only the first valid CRL for a particular issuer will be checked.
 If no CRLs are configured, then CRLs will not be checked.
 This is because the KDC will not dereference CRL distribution
 points nor request OCSP responses.