diff --git a/readme.md b/readme.md
index 554f6da90277e8dd2d339643c68ec8eed14b2000..16f1353e72b97a1149a044074df925ef89ff87e0 100644
--- a/readme.md
+++ b/readme.md
@@ -9,6 +9,7 @@ license: GNU GPL 3.0 <http://www.gnu.org/licenses/gpl-3.0.html>
 ## Installation
 
 * Install acme.sh client: <https://github.com/acmesh-official/acme.sh>
+* If you use Ansible/ Puppet/ ... to renew and deploy new certificates then you can deactivate the acme cronjob (`crontab -e`)
 * Clone or extract files of iml-certman
 * Make your changes by copying *dist files to file without ".dist" extension and edit
   * inc_config.sh
@@ -125,3 +126,30 @@ DEBUG: Using Let's Encrypt STAGE environment ...
 DEBUG: You can test and mess around. Do not use certs in production.
 
 ```
+
+### CRUD actions for a certificate
+
+A certificate is created for a host and can have additional DNS names (optional).
+For integration into a system deployment with Ansible & co the `ensure` prameter
+is the best choice because it detects what action is required. 
+The command 
+
+`[APPPATH]/cm.sh ensure www.example.com mail.example.com`
+
+creates (or renews if close to expiriation) a certificate with 2 hostnames in it.
+
+The "manual way" with atomic actions is:
+
+* Create `[APPPATH]/cm.sh add www.example.com mail.example.com`
+* Renew `[APPPATH]/cm.sh renew www.example.com`
+* Modify hostnames with add command `[APPPATH]/cm.sh add www.example.com mail.example.com newhost.example.com` what creates a new certificate. Optionally you can/ should revoke the existing certificate with the former host list before (see next command). The impact is: Your SSL certificate on the website is invalid up to the moment you create and deploy the new certificate what can take a few minutes. If you maintain many certificates with the same domain and the request limit is reached your application can be broken broken for an even longer time.
+* Deletin the certificates includes a revoke `[APPPATH]/cm.sh delete www.example.com`
+
+
+### Show certificate data
+
+Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."` 
+
+to get a list of existing certs an then use the hostname in the 1st column to show details:
+
+`[APPPATH]/cm.sh show www.example.com`