diff --git a/docs/operations/deploy/common.md b/docs/operations/deploy/common.md
index bc7f495..ce63196 100644
--- a/docs/operations/deploy/common.md
+++ b/docs/operations/deploy/common.md
@@ -26,6 +26,10 @@ Warning: Permanently added 'artwork-1.dev.centos.org' (ECDSA) to the list of kno
 
 ```
 
+!!! tip
+    it's also possible to *not* do the ssh host key checking, but not adviced, by using `ANSIBLE_HOST_KEY_CHECKING=False` env variable in front of the first playbook execution in the next steps. As said, it's possible and should *eventually* only be used for .dev. or .stg. environment, and on just provisioned instances (non public) like Virtual Machines
+
+
 Now we can proceed with next steps.
 Let's add the node in the correct Ansible inventory (like for example `CentOS-CI` or `CentOS-prod` or `CentOS-staging`, etc.
 
diff --git a/docs/security/tls.md b/docs/security/tls.md
index fd94a41..5084f1f 100644
--- a/docs/security/tls.md
+++ b/docs/security/tls.md
@@ -9,14 +9,90 @@ Ansible roles are using the following logic to distribute .key/.cert files
   * {{ public_name }}-CAchain.crt : Trusted chain from CA (usually a symlink in pkistore is enough as we have a very few)
 
 ```
- 
-## Public certificates
 
-### DigiCert
-We have some long-term certificates that we use for www/lists/ci/etc .centos.org
-Those need to be required through DigiCert Web ui and through internal RH ticket.
-Once we have the signed cert back, we can upload it in pkistore and deploy
+## Internal certificates
+
+### IPA/dogtag (central authentication)
+
+While IPA enrolled nodes can directly request TLS certificates, for CentOS infra, due to the fact that almost *all* nodes *can't* be enrolled (no direct link with IPA infra), we have to delegate this on an enrolled node where we can then be granted "delegation" rights in IPA, so that a "fake" enrolled node (created for the real target server that will need a TLS cert) can be "managed by" the enrolled node.
+
+From that enrolled node, we'll then be able to retrieve the TLS cert/keytab and also then export/import into `pkistore` , following the same naming convention as described above.
+
+Depending on the Env (Prod vs STG), you can find which node[s] is/are enrolled (through applied `ipa-client` client role applied with also the `ipa_client_tls_delegated_host` boolean set to `True` (needed for the following script to be present in the ipa-client role).
+
+Pre-requisites:
+
+ * one node enrolled in the correct REALM we want to generate/retrieve TLS cert (and keytab) for
+ * an IPA account that has enough privileges to add hosts/services and local sudo rights on the intermediate enrolled node
+ * `ipa-client` role applied with correct script deployed
+
+Once we have shell access on such enrolled node, we can proceed like this :
+```
+/usr/libexec/centos/generate_ipa_tls_krb5 -n mbs.mbox.stg.centos.org -d 'Koji mbox STG mbs' -s 'HTTP'
+[+] Adding host in IPA and adding delegation to retrieve certs/keytab ...
+------------------------------------
+Added host "mbs.mbox.stg.centos.org"
+------------------------------------
+  Host name: mbs.mbox.stg.centos.org
+  Description: Koji mbox STG mbs
+  Principal name: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Principal alias: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Password: False
+  Keytab: False
+  Managed by: mbs.mbox.stg.centos.org
+  Host name: mbs.mbox.stg.centos.org
+  Description: Koji mbox STG mbs
+  Principal name: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Principal alias: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Managed by: mbs.mbox.stg.centos.org, <modified>.fedoraproject.org
+-------------------------
+Number of members added 1
+-------------------------
+------------------------------------------------------------------
+Added service "HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG"
+------------------------------------------------------------------
+  Principal name: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Principal alias: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Managed by: mbs.mbox.stg.centos.org
+  Principal name: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Principal alias: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Managed by: mbs.mbox.stg.centos.org, <modified>.fedoraproject.org
+-------------------------
+Number of members added 1
+-------------------------
+  Host name: mbs.mbox.stg.centos.org
+  Description: Koji mbox STG mbs
+  Principal name: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Principal alias: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Managed by: mbs.mbox.stg.centos.org, <modified>.fedoraproject.org
+  Hosts allowed to retrieve keytab: <modified>.fedoraproject.org
+-------------------------
+Number of members added 1
+-------------------------
+  Principal name: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Principal alias: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG
+  Managed by: mbs.mbox.stg.centos.org, <modified>.fedoraproject.org
+  Hosts allowed to retrieve keytab: <modified>.fedoraproject.org
+-------------------------
+Number of members added 1
+-------------------------
+[+] Retrieving TLS and keytab files ...
+New signing request "20210705130958" added.
+Keytab successfully retrieved and stored in: /etc/pki/centos/certs/HTTP-mbs.mbox.stg.centos.org.keytab
+[+] Validating TLS against IPA CA ...
+/etc/pki/centos/certs/mbs.mbox.stg.centos.org.crt: OK
+```
+
+!!! tip
+    You need a valid kerberos ticket for the existing REALM, otherwise same script will exit 1. Worth knowing that if you have enabled OTP on your account (a *must* for admins) you can use the `2fa-kinit` script, also deployed by ansible on each enrolled node by the `ipa-client` ansible role
+
+You can now import into `pkistore` (and correct directory based on role) git-crypted repository the needed .crt and .key files from /etc/pki/centos/certs/ directory
+
+
+### Red Hat CA (internal setup only)
 
+ 
+## Public certificates
 
 ### Letsencrypt
 
@@ -76,7 +152,8 @@ And back on the certbot node, where it just updates, then waits and finalizes th
 
 ```
 
-PS : for a wildcard, just add multiple -d and '*.domain'
+PS : for a wildcard, just add multiple -d and `*.domain`
+
 ```
 acme.sh --issue --dns dns_nsupdate -d stg.centos.org -d '*.stg.centos.org' --challenge-alias stg.acme.centos.org
 ```