doh_client_x509_auth: make it clear that root_ca is optional

dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -643,12 +643,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
 
 # Use a X509 certificate to authenticate yourself when connecting to DoH servers.
 # This is only useful if you are operating your own, private DoH server(s).
-# (for DNSCrypt, see the `query_meta` feature instead)
+# 'creds' maps servers to certificates, and supports multiple entries.
+# If you are not using the standard root CA, an optional "root_ca"
+# property set to the path to a root CRT file can be added to a server entry.
 
 # [doh_client_x509_auth]
-
+#
 # creds = [
-#    { server_name='myserver', client_cert='client.crt', client_key='client.key', root_ca='ca.crt' }
+#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
 # ]