diff --git a/source/user-guide/el2g.rst b/source/user-guide/el2g.rst
index cfaab7cb4..59887383e 100644
--- a/source/user-guide/el2g.rst
+++ b/source/user-guide/el2g.rst
@@ -231,6 +231,22 @@ EdgeLock 2GO Concepts
  * **Subdomain** — Every EdgeLock 2GO account has a "device-link" subdomain that a device's ``nxp_iot_agent_demo`` binary connects to.
    This is the service where secure objects will be exchanged.
 
+Installing Additional Secure Objects
+------------------------------------
+
+Additional Secure Objects can be defined in EdgeLock 2GO through the API.
+These objects are provisioned into the Secure Element when the device registers.
+On top of this, keypairs and certificates are loaded into PKCS#11 so they are accessible, e.g., OpenSSL.
+The convention is that the keypair secure object has an even-numbered OID (e.g. 0x10000010) and the corresponding certificate has an OID one higher (e.g. 0x10000011).
+To enable automatic loading of the keypair and certificate, the ``GENERIC_KEYPAIRS`` variable must be set in ``/etc/default/lmp-el2go-auto-register`` e.g.,
+
+::
+  # recipes-support/lmp-el2go-auto-register/lmp-el2go-auto-register/default.env
+  REPOID=<YOUR ID FROM fioctl factories>
+  GENERIC_KEYPAIRS="0x10000010"
+
+``GENERIC_KEYPAIRS`` defaults to 0X83000044 which is the OID used by AWS IoT.
+
 Further Details
 ---------------