Update SECURITY.md for #513 with some clearer instruction around keys and keystores

SECURITY.md

@@ -9,7 +9,7 @@ If set to true, then the default certificates from the JVM are used in addition
 
 ### Providing custom certificates (`20.0.0.3+`)
 
-It is possible to provide custom PEM certificates by mounting the files into the container. Files that will be imported are `tls.key`, `tls.crt` and `ca.crt`.
+It is possible to provide custom PEM certificates by mounting the files into the container. Files that will be imported are `tls.key`, `tls.crt` and `ca.crt`. The private key `tls.key` must not be encrypted or container startup will fail.
 
 The location can be specified by `TLS_DIR` environment variable. Default location
 for certificates is `/etc/x509/certs/`.
@@ -26,6 +26,8 @@ A custom keystore can be provided during the application image's build phase by
 
 You must then override the keystore's password by including your copy of the `keystore.xml` file inside the `/config/configDropins/defaults/` directory.
 
+Adding the key.p12 file and the keystore.xml override must happen after any calls to `features.sh` or `configure.sh` so they take precedence over anything generated by `features.sh` and `configure.sh`.
+
 
 ## Single Sign-On configuration
 The following variables configure container security for Single Sign-On using the socialLogin-1.0 feature.