cert.d: clarify that escape character works for file paths

Closes #9349

docs/cmdline-opts/cert.d

@@ -14,19 +14,23 @@ Tells curl to use the specified client certificate file when getting a file
 with HTTPS, FTPS or another SSL-based protocol. The certificate must be in
 PKCS#12 format if using Secure Transport, or PEM format if using any other
 engine. If the optional password is not specified, it will be queried for on
-the terminal. Note that this option assumes a "certificate" file that is the
-private key and the client certificate concatenated! See --cert and --key to
+the terminal. Note that this option assumes a certificate file that is the
+private key and the client certificate concatenated. See --cert and --key to
 specify them independently.
 
+In the <certificate> portion of the argument, you must escape the character ":"
+as "\\:" so that it is not recognized as the password delimiter. Similarly, you
+must escape the character "\\" as "\\\\" so that it is not recognized as an
+escape character.
+
 If curl is built against the NSS SSL library then this option can tell
 curl the nickname of the certificate to use within the NSS database defined
 by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the
 NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be
-loaded. If you want to use a file from the current directory, please precede
-it with "./" prefix, in order to avoid confusion with a nickname. If the
-nickname contains ":", it needs to be preceded by "\\" so that it is not
-recognized as password delimiter. If the nickname contains "\\", it needs to
-be escaped as "\\\\" so that it is not recognized as an escape character.
+loaded.
+
+If you provide a path relative to the current directory, you must prefix the
+path with "./" in order to avoid confusion with an NSS database nickname.
 
 If curl is built against OpenSSL library, and the engine pkcs11 is available,
 then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in