diff --git a/Linux-Web-UI-setting-up-HTTPS-with-Let's-Encrypt-certificates.md b/Linux-Web-UI-setting-up-HTTPS-with-Let's-Encrypt-certificates.md
index d85ab4f..6b4126a 100644
--- a/Linux-Web-UI-setting-up-HTTPS-with-Let's-Encrypt-certificates.md
+++ b/Linux-Web-UI-setting-up-HTTPS-with-Let's-Encrypt-certificates.md
@@ -2,16 +2,15 @@
 
 You can easily setup HTTPS for the web interface with a Let's Encrypt certificate. The advantage of this method over using self-signed certificates is that all modern browsers will trust Let's Encrypt certificates by default, so you'll get no warnings when accessing the web page and there will be no need to add security exceptions.
 
-This guide assumes you have a working qbitorrent-nox setup (check [this](https://github.com/qbittorrent/qBittorrent/wiki/Setting-up-qBittorrent-on-Ubuntu-server-as-daemon-with-Web-interface-(15.04-and-newer)) article if you haven't).
+This guide assumes you have a working qbitorrent-nox setup (check [this][qbt-nox-wiki-setup] article if you haven't).
 This guide also assumes that:
 * you know how to and can forward ports on your router.
-* you have setup a DNS pointing to the IP you are running the Web UI from (you can use a free one like [Duck DNS](https://www.duckdns.org/)).
+* you have setup a DNS pointing to the IP you are running the Web UI from (you can use a free one like [Duck DNS][duckdns-url]).
 
 # Install `certbot`
-[`certbot`](https://certbot.eff.org/) is the recommended ACME client for requesting and managing Let's Encrypt certificates. It is available on the official Ubuntu repositories, but there is an official PPA always updated with the most recent stable version, so that is the one to install.
+[`certbot`][certbot-url] is the recommended ACME client for requesting and managing Let's Encrypt certificates. It is available on the official Ubuntu repositories, but there is an official PPA always updated with the most recent stable version, so that is the one to install.
 ```shel
-sudo apt update
-sudo apt install software-properties-common
+sudo apt update && sudo apt upgrade -y # first update all packages in the system
 sudo add-apt-repository ppa:certbot/certbot
 sudo apt update
 sudo apt install certbot 
@@ -19,19 +18,31 @@ sudo apt install certbot
 
 # Obtaining the certificate
 
-The method used for obtaining the certificate will be the `standalone` method. As such, before you actually run the necessary command, you need to:
-* temporarily stop any program/server listening on port 80 (check with `sudo netstat -tulpn`, for example)
-* forward port 80 on your router
-* allow port 80 on your firewall (most likely `ufw`) if it is not already allowed
+You will need either port 80 or 443 free during this process. If you have additional software running on your machine bound to port 443, you will want to use port 80 and vice-versa. **In this example we will use port 80 for the certificate issuance process**. If you want to use port 443, the only thing that you need to change besides the port number would be the `--preferred-challenges` from `http` to `tls-sni` in the command below. Refer to the cerbot documentation for more information on this.
 
-So, after forwarding port 80 and temporarily stopping any program listening on port 80, run the following commands to obtain your certificate (replace `yourwebuidomain.duckdns.org` with your actual domain):
+The method used for obtaining the certificate will be the `standalone` method. Before you actually run the necessary command, you need to:
+* temporarily stop any program/server bound to port 80 (check with `sudo netstat -tulpn`, for example);
+* forward port 80 on your router;
+* allow port 80 on your firewall (most likely `ufw`) if it is not already allowed;
+
+Now, run the following commands to obtain your certificate (replace `yourwebuidomain.duckdns.org` with your actual domain):
 ```shell
 sudo ufw allow 80
 sudo ufw reload
-sudo certbot certonly --standalone -d yourwebuidomain.duckdns.org
+sudo certbot certonly --standalone --preferred-challenges http --must-staple --redirect --hsts --uir --staple-ocsp --rsa-key-size 4096 --domain yourwebuidomain.duckdns.org
 ```
 After the certificate is generated successfully, you can restart any program you had listening on port 80 or maybe re-block port 80 if you weren't using it (`sudo ufw deny 80 && sudo ufw reload`).
 
+Note: the following five options used above are optional, but good for hardened security:
+* --rsa-key-size 4096
+* --must-staple
+* --redirect
+* --hsts
+* --uir
+* --staple-ocsp
+
+Refer to the [documentation][certbot-docs-cmd-opt] for more info
+
 # Installing the certificate on the Web UI
 
 1. Go to your Web UI, `yourwebuidomain.duckdns.org`.
@@ -56,10 +67,8 @@ Each time the command is run, `certbot` checks if any certificate is more than 6
 
 You can put your renewal command (without `sudo`) in a crontab or a systemd unit set to run daily or twice a day, which is what the Let's Encrypt folks recommend.
 
-# Note on the port used for `certbot`
 
-By default, `certbot` uses port 80 for challenges. I find this default to be convenient, since, even though I run webservers other that the qBittorrent WebUI on my machine, those use HTTPS and listen on port 443 exclusively.
-
-When I wrote this I assumed most people either don't have additional web servers or if they do, they aren't actually using port 80 (and they might actively block it). Thus, for most users there is no need restart anything when obtaining or renewing the certificate for the qBittorrent Web UI, when following this tutorial verbatim.
-
-If, by chance, you happen to have a web server or other program listening on port 80 and your port 443 is free, you can instruct `certbot` to use port 443 for the challenges (see the documentation), thus eschewing the need to restart programs listening on port 80 when obtaining/renewing the certificate for the qBittorrent Web UI.
\ No newline at end of file
+[qbt-nox-wiki-setup]: https://github.com/qbittorrent/qBittorrent/wiki/Setting-up-qBittorrent-on-Ubuntu-server-as-daemon-with-Web-interface-(15.04-and-newer)
+[duckdns-url]: https://www.duckdns.org/
+[certbot-url]: https://certbot.eff.org/
+[certbot-docs-cmd-opt]: https://certbot.eff.org/docs/using.html#certbot-command-line-options
\ No newline at end of file