diff --git a/automation/certificates/internal/README.md b/automation/certificates/internal/README.md
index 5a9441e..e9df2b2 100644
--- a/automation/certificates/internal/README.md
+++ b/automation/certificates/internal/README.md
@@ -2,4 +2,22 @@
 
 I use a very generic approach for certificate automation as I like to be able to pick-up-an-go to a new system and have things "just work". I created this automation method so easily issue new certs and create a renewal pipeline that is touchless.
 
-Essentially, there is a domain/fqdn path per cert. Each path has a config and script that will be run to generate a new CSR config file.
\ No newline at end of file
+Essentially, there is a domain/fqdn path per cert. Each path has a config and script that will be run to generate a new CSR config file.
+
+For a backend PKI I use OpenXPKI. These scripts use a compiled sscep program over on https://github.com/certnanny/sscep to send the CSR requests to OpenXPKI over API calls.
+
+## Workflow
+
+To issue a new cert create the folder path and populate with the minimum files:
+ - key.pw (key's encryption passphrase)
+ - gen.sh (updated with cert CN, etc)
+ - issue.cnf (no change)
+ - renew.cnf (no change)
+
+Then run ./issue.sh at the top level. It will go through each folder and only execute the issue.sh if a cert doesn't already exist. If a cert aleady exists is means that we should be running a ./renew.sh command instead. Likewise ./renew.sh will only renew certs that exist.
+
+New certs (ie. issue.sh) will need to be manually approved in OpenXPKI. Afterwards, renew.sh signs the API request with the old cert so OpenXPKI will auto-approve the request (as long as the cert is still valid). Up to 5 certs with the same Subject can be issued at once. the ./renew.sh command can be put into a cron job to automate this task.
+
+## TODO
+
+ - I would like a way to determine if the cert still has x months/weeks so that I only renew at the last 1 or 2 weeks remaining.
\ No newline at end of file