diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md
index d2c3dcf..e59fc7f 100644
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@@ -86,8 +86,11 @@ In addition to the primary key, modern OpenPGP certificates can contain "subkeys
 Subkeys have the same structure as the primary key, but play a subtly different role in the certificate. Subkeys are cryptographically linked with the primary key (more on this below).
 
 ```{figure} diag/with_subkeys.png
----
----
+:name: Certificate with Subkeys
+:alt: Three component keys. The primary key is shown at the top. It can be used for certification. Below it, linked with arrows, are two more component keys, used as subkeys. They are marked as "for encryption" and "for signing", respectively.
+:width: 80%
+:align: center
+
 OpenPGP certificates can contain any number of subkeys
 ```