diff --git a/doc/Changelog b/doc/Changelog
index b1d451123..d85daba25 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+6 July 2018: Wouter
+	- Fix documentation ambiguity for tls-win-cert in tls-upstream and
+	  forward-tls-upstream docs.
+
 4 July 2018: Wouter
 	- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
 	  if DNSSEC is not enabled.  New option -R allows fallback from
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index b5429fdf9..c3a4c14c1 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -403,7 +403,7 @@ Enabled or disable whether the upstream queries use TLS only for transport.
 Default is no.  Useful in tunneling scenarios.  The TLS contains plain DNS in
 TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
-If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
 load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B ssl\-upstream: \fI<yes or no>
@@ -1514,7 +1514,7 @@ The default is no.
 .B forward\-tls\-upstream: \fI<yes or no>
 Enabled or disable whether the queries to this forwarder use TLS for transport.
 Default is no.
-If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
 load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B forward\-ssl\-upstream: \fI<yes or no>