diff --git a/docs/csaf_checker.md b/docs/csaf_checker.md
index 6dc103ba..82916ae8 100644
--- a/docs/csaf_checker.md
+++ b/docs/csaf_checker.md
@@ -69,6 +69,8 @@ type 2: error
 
 The checker result is a success if no checks resulted in type 2, and a failure otherwise.
 
+Using the `client-passphrase` option may imply an [security issue](https://pkg.go.dev/crypto/x509@go1.20.6#DecryptPEMBlock).
+
 The option `timerange` allows to only check advisories from a given time interval.
 It is only allowed to specify one off them. 
 There are following variants:
diff --git a/docs/csaf_downloader.md b/docs/csaf_downloader.md
index 2fb98d97..ff0aa877 100644
--- a/docs/csaf_downloader.md
+++ b/docs/csaf_downloader.md
@@ -69,6 +69,8 @@ worker              = 2
 validatorpreset     = ["mandatory"]
 ```
 
+Using the `client-passphrase` option may imply an [security issue](https://pkg.go.dev/crypto/x509@go1.20.6#DecryptPEMBlock).
+
 The `timerange` parameter enables downloading advisories which last changes falls
 into a given intervall. There are three possible notations:
 
diff --git a/docs/examples/aggregator.toml b/docs/examples/aggregator.toml
index 4abbba3a..6842d038 100644
--- a/docs/examples/aggregator.toml
+++ b/docs/examples/aggregator.toml
@@ -40,7 +40,7 @@ insecure = true
   write_indices = true
   client_cert = "./../devca1/testclient1.crt"
   client_key = "./../devca1/testclient1-key.pem"
-#  client_passphrase =
+#  client_passphrase = # See checker doc for security remark.
 #  header =
 
 [[providers]]