diff --git a/CHANGELOG.md b/CHANGELOG.md
index 70635fb6d..4de80b221 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,10 +37,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Detect OIDC tokens issued by Kubernetes (smallstep/cli#953).
 - Add support for Smallstep Managed Endpoint X509 extension
   (smallstep/cli#989).
+- Support signing a certificate for a private key that can only be used for encryption with the `--skip-csr-signature` flag in `step certificate create`. Some KMSs restrict key usage to a single type of cryptographic operation. This blocks RSA decryption keys from being used to sign a CSR for their public key. Using the `--skip-csr-signature` flag, the public key is used directly with a certificate template, removing the need for the CSR signature.
 
 ### Changed
 
 - Increase PBKDF2 iterations to 600k (smallstep/cli#949).
+- `--kms` flag is no longer used for the CA (signing) key for `step certificate create`. It was replaced by the `--ca-kms` flag (smallstep/cli#942).
 
 ### Fixed