diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 5f1eec78fb..ec4d637a12 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -2046,9 +2046,12 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
authentication, the authentication option clientcert is
assumed to be verify-ca or verify-full,
and it cannot be turned off since a client certificate is necessary for this
- method. What the cert method adds to the basic
- clientcert certificate validity test is a check that the
- cn attribute matches the database user name.
+ method. If sslmode is set to verify-full, libpq will verify
+ that the server host name matches the cn stored in the
+ client certificate. If sslmode is set to verify-ca, libpq
+ will verify that the client is trustworthy by checking the certificate chain
+ up to the root certificate and it does not verify server hostname and client
+ certificate common name match.