diff --git a/docs/security/tls.md b/docs/security/tls.md
index 426e66d..75f08a4 100644
--- a/docs/security/tls.md
+++ b/docs/security/tls.md
@@ -237,7 +237,27 @@ Validating cert [koji.mbox.centos.org.crt] with CAChain [koji.mbox.centos.org-CA
 koji.mbox.centos.org.crt: OK
 
 ```
-Once it's committed/pushed to pkistore git repo, tobisna (ansible bot) will deploy the renewed TLS certs automatically
 
+Let's consider now three infrastructures and how to push renewed certs :
 
+#### CentOS public infra (including .dev. and .stg. infra)
+Once it's committed/pushed to pkistore git repo, tobisna (ansible bot) will deploy the renewed TLS certs automatically.
+You can still "force" the playbook execution if you want, from ansible bot host but should be done automatically and you can see reports through ARA.
+
+#### CentOS CI infra
+There is no dedicated ansible host/management station for ci infra (yet) so you have to run it yourself.
+Once you have pushed the renewed certs (through git-crypted pkistore git repo), you can just apply with :
+```
+for role in haproxy ocp-admin-node ; do
+  ansible-playbook playbooks/role-${role}.yml --tags "tls,pki,certs"
+done
+```
+
+#### CentOS Stream infra
+Same as for other parts of infra, except that you *have* to encrypt with ansible-vault before git commit/git push operations (important).
+Once done : 
+
+```
+ansible-playbook-stream playbooks/role-haproxy.yml --tags "tls,pki"
+```