--- /dev/null
+@node Restricted
+@unnumbered Restricted CAs
+
+You can restrict what hosts are allowed to be served by the specified
+CA. For example you want to limit CA with SPKI's SHA256 hash of
+@code{9215d9eeddeb403b0ffebb228cfc13104da825117d3640a0dfbfc0c08a012124}
+to domains only in @code{stargrave.org} tree:
+
+@example
+$ tee fifos/add-restricted < restricted.txt
+9215d9eeddeb403b0ffebb228cfc13104da825117d3640a0dfbfc0c08a012124 stargrave.org
+[...]
+@end example