diff --git a/docs/security/tls.md b/docs/security/tls.md
index 7393784..441dba3 100644
--- a/docs/security/tls.md
+++ b/docs/security/tls.md
@@ -112,6 +112,9 @@ You can now import into `pkistore` (and correct directory based on role) git-cry
 
 While the mentioned above script is probably the one that we'll use the most for nodes, we can also have to create service account, just to retrieve TLS cert used to auth against other services. As we'll just do that on *very* limited use cases, we can just "manually" execute the following snippet, still with first a valid kerberos ticket to be able to add users in IPA (so also on an enrolled machine and ideally the same one we use for the node certificates) :
 
+
+##### New account and certificate request
+
 ```
 # Let's first define some variables
 service_account="mbox_stg_kojira"
@@ -130,6 +133,17 @@ kinit ${service_account}@${realm}
 ipa cert-request ${service_account}.csr --principal=${service_account} --profile-id=userCerts --certificate-out=${service_account}.crt && rm ${service_account}.csr
 ```
 
+##### Existing account and certificate request (renewal)
+
+```
+pushd /etc/pki/centos/certs/ >/dev/null
+service_account="cbs-kojira"
+realm="FEDORAPROJECT.ORG"
+kinit ${service_account}@${realm}
+openssl req -new -nodes -key ${service_account}.key -out ${service_account}.csr -subj "/CN=${service_account}"
+ipa cert-request ${service_account}.csr --principal=${service_account} --profile-id=userCerts --certificate-out=${service_account}.crt && /bin/rm ${service_account}.csr
+```
+
 You can now push both .key/.crt files into `pkistore` git-crypted repository *and* also record the service account password in the IPA-service-accounts file in that same git-crypted repository
 
 ### Red Hat CA (internal setup only)