diff --git a/README.md b/README.md
index 78e7854..42de18d 100644
--- a/README.md
+++ b/README.md
@@ -47,18 +47,27 @@ Clean up every trace of a service in one command:
 infra decommission --domain project.loopaware.com --mac <MAC> --vmid 12345 --node la-vmh-12 --port-name project_udp
 ```
 
-### Certificate Management
+### 4. Certificates (Let's Encrypt)
+The infrastructure uses a consolidated SAN (Subject Alternative Name) strategy to optimize Let's Encrypt rate limits.
+
+- **`loopaware.com.pem`**: Wildcard cert for all public services.
+- **`la-infra-san.pem`**: Consolidated SAN cert for all internal `*.fe.loopaware.com` hosts.
+
+The system automatically discovers new internal hosts and adds them to the SAN certificate nightly at 3:00 AM.
+
 ```bash
-# List all active certificates
+# List all active certificates in shared storage
 infra cert list
 
-# Check main certificate expiry
+# Check expiry date of the main wildcard cert
 infra cert status
 
-# Trigger dynamic SAN discovery and renewal
-infra cert renew --force
+# Manually trigger discovery and renewal (Rate-limit safe)
+infra cert renew
 ```
 
+### 5. Cloudflare DDNS
+
 ## Safety & Validation
 - **Template Resolution:** The `debian-13` alias automatically finds the latest template on the target Proxmox node.
 - **Input Validation:** All IPs, MACs, and Ports are validated before execution.