diff --git a/docs/acme-caddy-walkthrough.md b/docs/migration/acme-from-caddy.md
similarity index 93%
rename from docs/acme-caddy-walkthrough.md
rename to docs/migration/acme-from-caddy.md
index 5af0fc1..98a8b68 100644
--- a/docs/acme-caddy-walkthrough.md
+++ b/docs/migration/acme-from-caddy.md
@@ -1,5 +1,12 @@
 # Caddy Integration Walkthrough
 
+> **Use this walkthrough when** you're already running Caddy 2.7+ and
+> want it to ACME-issue from certctl (your internal CA, your private
+> PKI, or a local sub-CA chained under an enterprise root) instead of
+> Let's Encrypt. The Caddyfile changes are minimal; the load-bearing
+> piece is trusting certctl's bootstrap CA so Caddy's ACME client can
+> talk to certctl over HTTPS.
+
 End-to-end recipe for issuing certs from a certctl-server deployment
 through Caddy 2.7+. Target audience: operator running Caddy on a VM
 or container who wants Caddy to ACME-issue from certctl instead of
diff --git a/docs/acme-cert-manager-walkthrough.md b/docs/migration/acme-from-cert-manager.md
similarity index 95%
rename from docs/acme-cert-manager-walkthrough.md
rename to docs/migration/acme-from-cert-manager.md
index d41ee0c..d9a63c1 100644
--- a/docs/acme-cert-manager-walkthrough.md
+++ b/docs/migration/acme-from-cert-manager.md
@@ -1,5 +1,14 @@
 # cert-manager Integration Walkthrough
 
+> **Use this walkthrough when** you're already running cert-manager
+> 1.15+ in Kubernetes and want it to issue certs from certctl (your
+> internal CA, your private PKI, or a local sub-CA chained under an
+> enterprise root) via the standard ACME `ClusterIssuer` model. If
+> you want certctl to coexist with cert-manager rather than replace
+> its issuer backend, see
+> [`docs/migration/cert-manager-coexistence.md`](cert-manager-coexistence.md)
+> instead.
+
 End-to-end recipe for issuing certs from a certctl-server deployment
 through cert-manager 1.15+. Target audience: Kubernetes operator who
 has never deployed certctl before and wants a working
diff --git a/docs/acme-traefik-walkthrough.md b/docs/migration/acme-from-traefik.md
similarity index 93%
rename from docs/acme-traefik-walkthrough.md
rename to docs/migration/acme-from-traefik.md
index 7543f58..e703eec 100644
--- a/docs/acme-traefik-walkthrough.md
+++ b/docs/migration/acme-from-traefik.md
@@ -1,5 +1,12 @@
 # Traefik Integration Walkthrough
 
+> **Use this walkthrough when** you're already running Traefik 3.0+
+> (Kubernetes or VM) and want it to ACME-issue from certctl (your
+> internal CA, your private PKI, or a local sub-CA chained under an
+> enterprise root) instead of Let's Encrypt. The Traefik static config
+> changes are minimal; the load-bearing piece is `serversTransport.rootCAs`
+> so Traefik trusts certctl's bootstrap CA on every outbound ACME call.
+
 End-to-end recipe for issuing certs from a certctl-server deployment
 through Traefik 3.0+. Target audience: operator running Traefik (in
 Kubernetes or on a VM) who wants to use certctl as their ACME source