diff --git a/cmd/boulder-ca/main.go b/cmd/boulder-ca/main.go
index a455da0ee0d..f9deb2f4169 100644
--- a/cmd/boulder-ca/main.go
+++ b/cmd/boulder-ca/main.go
@@ -49,7 +49,11 @@ type Config struct {
 		// What digits we should prepend to serials after randomly generating them.
 		SerialPrefix int `validate:"required,min=1,max=127"`
 
-		// The maximum number of subjectAltNames in a single certificate
+		// MaxNames is the maximum number of subjectAltNames in a single cert.
+		// The value supplied MUST be greater than 0 and no more than 100. These
+		// limits are per section 7.1 of our combined CP/CPS, under "DV-SSL
+		// Subscriber Certificate". The value must match the RA and WFE
+		// configurations.
 		MaxNames int `validate:"required,min=1,max=100"`
 
 		// LifespanOCSP is how long OCSP responses are valid for. Per the BRs,
diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
index 8dcb0743326..c63d7a3a095 100644
--- a/cmd/boulder-ra/main.go
+++ b/cmd/boulder-ra/main.go
@@ -42,7 +42,12 @@ type Config struct {
 		PublisherService    *cmd.GRPCClientConfig
 		AkamaiPurgerService *cmd.GRPCClientConfig
 
-		MaxNames int `validate:"required,min=1"`
+		// MaxNames is the maximum number of subjectAltNames in a single cert.
+		// The value supplied MUST be greater than 0 and no more than 100. These
+		// limits are per section 7.1 of our combined CP/CPS, under "DV-SSL
+		// Subscriber Certificate". The value must match the CA and WFE
+		// configurations.
+		MaxNames int `validate:"required,min=1,max=100"`
 
 		// AuthorizationLifetimeDays defines how long authorizations will be
 		// considered valid for. Given a value of 300 days when used with a 90-day