diff --git a/radsecproxy.c b/radsecproxy.c
index c907c73..6a2acdb 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2465,7 +2465,7 @@ int compileserverconfig(struct clsrvconf *conf, const char *block) {
             debug(DBG_ERR, "error in block %s, no tls context defined", block);
             return 0;
         }
-        if (conf->matchcertattrs) {
+        if (conf->confmatchcertattrs) {
             for (i=0; conf->confmatchcertattrs[i]; i++){
                 if (!addmatchcertattr(conf, conf->confmatchcertattrs[i])) {
                     debugx(1, DBG_ERR, "error in block %s, invalid MatchCertificateAttributeValue", block);
diff --git a/radsecproxy.conf.5.in b/radsecproxy.conf.5.in
index 299a991..f346e9c 100644
--- a/radsecproxy.conf.5.in
+++ b/radsecproxy.conf.5.in
@@ -413,17 +413,17 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or
 SubjectAltName against the specified hostname or IP address.
 .RE
 
-\fBmatchCertificateAttribute \fRCN:/\fIregexp\fR/
+\fBMatchCertificateAttribute \fRCN:/\fIregexp\fR/
 .br
-\fBmatchCertificateAttribute \fRSubjectAltName:DNS:/\fIregexp\fR/
+\fBMatchCertificateAttribute \fRSubjectAltName:DNS:/\fIregexp\fR/
 .br
-\fBmatchCertificateAttribute \fRSubjectAltName:URI:/\fIregexp\fR/
+\fBMatchCertificateAttribute \fRSubjectAltName:URI:/\fIregexp\fR/
 .br
-\fBmatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
+\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
 .br
-\fBmatchCertificateAttribute \fRSubjectAltName:rID:\fIoid\fR
+\fBMatchCertificateAttribute \fRSubjectAltName:rID:\fIoid\fR
 .br
-\fBmatchCertificateAttribute \fRSubjectAltName:otherName:\fIoid\fR:/\fIregexp\fR/
+\fBMatchCertificateAttribute \fRSubjectAltName:otherName:\fIoid\fR:/\fIregexp\fR/
 .RS
 Perform additional validation of certificate attributes. Currently matching
 of CN and SubjectAltName types URI, DNS, IP, rID, and otherName is supported. If specified
@@ -625,9 +625,7 @@ block. The details are not repeated here. Please refer to the definitions in the
 .br
 .BR "CertificateNameCheck (" on | off )
 .br
-\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/
-.br
-\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
+\fBMatchCertificateAttribute \fR...
 .br
 .BR "AddTTL " 1-255
 .br