diff --git a/docs/includes/nts-commands.adoc b/docs/includes/nts-commands.adoc
index a25d645e2..0e4c1d0b0 100644
--- a/docs/includes/nts-commands.adoc
+++ b/docs/includes/nts-commands.adoc
@@ -10,11 +10,11 @@ The options are as follows:
 
 +cert+ _file_::
   Present the certificate (chain) in _file_ as our certificate.
-  +
-  Note that there is no checking on the certificate.
-  In particular, it may have expired or may not cover the host name
-  used to get to this server or may not be signed by a CA that
-  is in the clients root-server collection.
++
+Note that there is no checking on the certificate.
+In particular, it may have expired or may not cover the host name
+used to get to this server or may not be signed by a CA that
+is in the clients root-server collection.
 
 +key+ _file_::
   Read the private key to our certificate from _file_.
@@ -62,9 +62,9 @@ The options are as follows:
    An OpenSSL ciphersuite list to configure the allowed ciphersuites for
    TLS 1.3.  A single NULL cipher disables encryption and use of certificates.
    This sets the ciphers used by both the client and server sides.
-   +
-   The server picks the cipher.  The default is client preference.
-   Specifying ciphersuites also switches to server preference.
++
+The server picks the cipher.  The default is client preference.
+Specifying ciphersuites also switches to server preference.
 
 +tlsecdhcurves+ _string_::
    An OpenSSL ecdhcurves list to configure the allowed ecdhcurves for
@@ -93,14 +93,14 @@ The following options of the +server+ command configure NTS (as a client).
 +nts+::
   Use Network Time Security (NTS) for authentication.  Normally,
   this is all you have to do to activate the client side of NTS.
-  +
-  The hostname following the +server+ command is used as the address
-  of the NTS key exchange server (NTS-KE) rather than the address
-  of a NTP server.  The NTS-KE exchange defaults to using the same
-  IP address for the NTP server.
-  +
-  Note that the +server+ hostname must match the name on the NTS-KE
-  server's certificate.
++
+The hostname following the +server+ command is used as the address
+of the NTS key exchange server (NTS-KE) rather than the address
+of a NTP server.  The NTS-KE exchange defaults to using the same
+IP address for the NTP server.
++
+Note that the +server+ hostname must match the name on the NTS-KE
+server's certificate.
 
 +noval+::
   Do not validate the server certificate.
@@ -116,15 +116,15 @@ The following options of the +server+ command configure NTS (as a client).
   The only options supported are AES_SIV_CMAC_256, AES_SIV_CMAC_384, and
   AES_SIV_CMAC_512.  The server may ignore the request.  See the +aead+
   option above.
-  +
-  The same +aead+ algorithms are also used to encrypt cookies.
-  The default is AES_SIV_CMAC_256.  There is no config file option to
-  change it, but you can change it by editing the saved cookie key
-  file, probably _/var/lib/ntp/nts-keys_.  Adjust the _L:_ slot to be
-  48 or 64 and adjust the _I:_ slots to have the right number of bytes.
-  Then restart the server.  (All old cookies held by clients will be
-  rejected so their next 8 NTP requests will be ignored.  They should
-  recover by retrying NTS-KE to get fresh cookies.)
++
+The same +aead+ algorithms are also used to encrypt cookies.
+The default is AES_SIV_CMAC_256.  There is no config file option to
+change it, but you can change it by editing the saved cookie key
+file, probably _/var/lib/ntp/nts-keys_.  Adjust the _L:_ slot to be
+48 or 64 and adjust the _I:_ slots to have the right number of bytes.
+Then restart the server.  (All old cookies held by clients will be
+rejected so their next 8 NTP requests will be ignored.  They should
+recover by retrying NTS-KE to get fresh cookies.)