Update SSH_user_certificates.adoc

add some notes and suggestions 
See #66

content/PIV/Guides/SSH_user_certificates.adoc

@@ -1,6 +1,6 @@
 == Using SSH User Certificates with PIV keys
 This is a step-by-step on how to setup SSH user certificates using PIV
-for hardware-backed keys. This guide is primarily for an macOS or
+for hardware-backed keys. This guide is primarily for a macOS or
 Linux system.
 
 === Prerequisites
@@ -16,7 +16,7 @@ It has also been tested as *not working* with OpenSSH version 6.9p1.
 
 === Steps
 1. Generate an "ssh user CA" key and trust it for this account on this
-host
+host.
 
   $ ssh-keygen -N '' -C user-ca -f ~/.ssh/ca
   $ sed 's/^/cert-authority /' ~/.ssh/ca.pub > ~/.ssh/authorized_keys
@@ -65,6 +65,11 @@ If you have followed these steps to the letter, you will not be asked for the PI
 === More info
 For more information see the CERTIFICATES section of https://man.openbsd.org/OpenBSD-current/man1/ssh-keygen.1[ssh-keygen(1)].
 
+=== Notes
+
+- The ca key is stored in a file in this example, but could also be stored on another YubiKey in a similar fashion.
+- The target system must have the ca key configured as a cert-authority, either via a user's `authorized_keys` file, or using `sshd_config`.
+
 === Thanks
 Thanks to Christopher Harrell and Dean Sutherland formerly of the
 Paranoids, Information Security at Yahoo, Inc. for providing the