diff --git a/docs/security/tls.md b/docs/security/tls.md
index 53de4fd..7393784 100644
--- a/docs/security/tls.md
+++ b/docs/security/tls.md
@@ -220,11 +220,41 @@ All files (certs/keys) are then available under /root/.acme.sh/{hostname} (you'l
 
 #### How to renew existing certs
 ##### For DNS challenges (existing records)
-For each cert/dns record, we have to ask for a renewal
+
+Each `pkistore` git repository (based on the env) will have a `./tools/letsencrypt-renew-import` wrapper tool that will : 
+
+ * inspect .crt TLS files in the pkistore git repo
+ * verify if that's signed by Let's Encrypt CA
+ * access the central acme machine through ssh (from which you initially create new cert) and renew with `acme.sh --renew -d ${domain} --force`
+ * retrieve the .crt and CA chain, and also corresponding .key
+ * reencrypt (if needed, based on env) with ansible-vault
+
+Once all done and validated, you can just git commit && git push back as usual
+
+Example : 
+
 ```
-acme.sh --renew-all --dnssleep 3 
+./tools/letsencrypt-renew-import
+[+] Analyzing TLS cert accounts.centos.org.crt ...
+ Renewing [accounts.centos.org.crt] on [acme01.rdu2.centos.org]
+ TLS cert accounts.centos.org.crt remotely renewed so importing key/crt/cachain : SUCCESS 
+ [accounts.centos.org.crt] validated against [/etc/pki/tls/certs/ca-bundle.crt accounts.centos.org-CAChain.crt] : SUCCESS 
+
+[+] Analyzing TLS cert accounts.dev.centos.org.crt ...
+ TLS [accounts.dev.centos.org.crt] file is a symlink so ignoring ... SKIPPED  
+
+[+] Analyzing TLS cert accounts.stg.centos.org.crt ...
+ Renewing [accounts.stg.centos.org.crt] on [acme01.rdu2.centos.org]
+ TLS cert accounts.stg.centos.org.crt remotely renewed so importing key/crt/cachain : SUCCESS 
+ [accounts.stg.centos.org.crt] validated against [/etc/pki/tls/certs/ca-bundle.crt accounts.stg.centos.org-CAChain.crt] : SUCCESS 
+<...>
+
 ```
 
+!!! note
+    if you'll have an error on a specific cert, just ssh into delegate machine for acme.sh and manually kick `acme.sh --renew -d <domain> --force` to see the output and fix the underlying issue (if any)
+    
+
 ##### For HTTP challenges
 
 Same as for dns challenges as we consolidated all under `acme.sh` (and no certbot anymore)