diff --git a/README.md b/README.md
index 4e264f2051c5b9c04d01f99a0aa746d9199bad22..7fd377bea3a400d26171ed60708842bdeedce4e5 100644
--- a/README.md
+++ b/README.md
@@ -6,61 +6,71 @@ This last part is probably not needed.
 
 If you're adding a redhat repo, you probably also need the SSL client certificate.
  1. Download the certificates, if necessary (see below)
- 1. Add the certificate to Teigi: `tbag set --hg lxsoft/adm 8a85f983598e8558015993b62b96699e.pem --file 8a85f983598e8558015993b62b96699e.pem`
- 1. List the new certificate in `manifests/adm.pp` for the lxsoft machines.
+ 1. Add the certificate to Teigi: `tbag set --hg lxsoft/adm 4542809831846091597.pem --file 4542809831846091597.pem`
+ 1. List the new certificate in `manifests/adm.pp` for the lxsoft machines (`cluster_adm` branch).
  1. Make sure your new repo files in [prod.repos.yaml](prod.repos.yaml) list the new certificate. You can use something like this to figure out which certificates belong to with repos:
 
 (execute on an ADM node with the certificates)
-```
+```bash
 for i in `ls /etc/cdn.redhat.com/*.pem`; do printf "$i returned http_code: "; curl -k -E $i https://cdn.redhat.com/content/dist/rhel/server/7/7.5/x86_64/os/repodata/ --write-out %{http_code} --silent --output /dev/null; printf "\n"; done
 ```
 
+## linuxsoft.cern.ch paths
+
+By default all repos will be mirrored under <https://linuxsoft.cern.ch/mirror/>
+
+You can control the path with `prod.repos.yaml` file, by using `pathroot` as in:
+
+```yaml
+redhat-8-ev-x86_64.repo:
+  pathroot: ''
+```
+
+This will make mirrors start on <https://linuxsoft.cern.ch/> instead.
+
+PS: Be aware RH repos are blocked unless you belong to certain LANDB sets: <https://linuxops.web.cern.ch/support/redhat/#landb-sets>
 
 # Downloading Redhat certificates
 
 Certs for linuxsoft-mirror system registered on [RHN](https://access.redhat.com/management/systems/b4ec8c2d-3eae-4ae0-b8fa-ec6d8a08ce9f/subscriptions)
 
+These are the certs used as of 04/12/2020, you can use the following command to determine what certificate maps to which entitlement:
+
 ```
-8a85f9845993af3f015993b34c3f0210 - 2017-01-01 - 2020-01-01 Red Hat Enterprise Linux Server, Self-support (1-2 sockets) (Up to 1 guest)
-8a85f983598e8558015993b62b96699e - 2017-01-01 - 2020-01-01 Extended Update Support
-8a85f9875993915c015993b8460b1956 - 2017-01-01 - 2020-01-01 Red Hat Enterprise Linux Developer Suite
-8a85f983598e8558015993be99386c0f - 2017-01-01 - 2020-01-01 Red Hat JBoss A-MQ, 64-Core Standard
-8a85f9825cc471b3015cc47ecc80054c - 2017-06-20 - 2020-01-01 Red Hat Virtualization (2-sockets), Premium
-8a85f983598e8558015993c40f836ef2 - 2017-01-01 - 2020-01-01 Red Hat Enterprise MRG Realtime, Standard (1-2 sockets)
-8a85f9875b339bfe015b33aaa17019fc - 2017-04-03 - 2020-01-01 Red Hat Enterprise Linux Extended Life Cycle Support (Physical or Virtual Nodes)
+[root@lxsoftadm28 ~]# for i in /etc/cdn.redhat.com/*pem; do echo -n "$i: "; subscription-manager import --certificate $i >/dev/null; subscription-manager list --consumed |grep "Subscription Name" | cut -d: -f2; subscription-manager remove --all >/dev/null; done
+/etc/cdn.redhat.com/195140964651792852.pem:    Red Hat Enterprise Linux for Real Time, Premium (Physical Node)
+/etc/cdn.redhat.com/3788516405494545882.pem:    Red Hat Enterprise Linux Developer Suite
+/etc/cdn.redhat.com/4542809831846091597.pem:    Red Hat Virtualization (2-sockets), Premium
 ```
 
-Note: with each new/changed subscription we have to add/remove subscription for linuxsoft-mirror
-on RHN and use freshly regenerated cert .. seems to be necessary also in case of new product
-versions which appeared after the orig. cert was generated
+# RedHat repos
 
-removed/replaced certs:
+Figuring out which RedHat repos to sync is not obvious as paths change between versions (i.e. RHEL7 use different repo URLs than RHEL8).
 
-```
-8a85f98159926149015993c2a4ed781a - 2017-01-01 - 2020-06-20 Red Hat Virtualization (2-sockets), Premium
-8a85f983598e8558015993be99386c0f - replaced 2018-02-27 for RH-SSO 7.2
-d0ef2de33635419fbf7467a54ba485c9 - replaced 2019-08-16 for Extended Update Support
-```
+You could always spawn a new RHELX machine and follow these steps:
 
-You can use the following command to determine what certificate maps to which entitlement:
+* Share the RH image with the tenant you want
 ```
-# for i in *pem; do echo -n "$i: "; subscription-manager import --certificate $i >/dev/null; subscription-manager list --consumed |grep "Subscription Name" | cut -d: -f2; subscription-manager remove --all >/dev/null; done
-8a85f9825cc471b3015cc47ecc80054c.pem:    Red Hat Virtualization (2-sockets), Premium
-8a85f983598e8558015993be99386c0f.pem:    Red Hat AMQ, Standard (64 Cores)
-8a85f983598e8558015993c40f836ef2.pem:    Red Hat Enterprise MRG Realtime, Standard (1-2 sockets)
-8a85f9845993af3f015993b34c3f0210.pem:    Red Hat Enterprise Linux Server, Self-support (1-2 sockets) (Up to 1 guest)
-8a85f9875993915c015993b8460b1956.pem:    Red Hat Enterprise Linux Developer Suite
-8a85f9875b339bfe015b33aaa17019fc.pem:    Red Hat Enterprise Linux Extended Life Cycle Support (Physical or Virtual Nodes)
-97a00645e90241a495c87c71cab7258f.pem:    Red Hat Virtualization Manager
-d0ef2de33635419fbf7467a54ba485c9.pem:    Extended Update Support
-#
+eval $(ai-rc 'IT Linux Support - CI VMs')
+openstack image list | grep RHEL  ## To see all available images
+# replace with the uuid of destination project
+openstack image add project '$uuid-of-image' '$uuid-of-project'
 ```
 
-## Procedure (Update 2018/04):
+* Spawn a machine with that image, select your private key when creating it
+* Quickly add this machine to `LINUXSOFT RHEL LICENSED GPN` so it has access to RH repos for installation
+* ssh as `cloud-user`: `ssh cloud-user@yournode`, then `sudo -i`
+* Edit `/root/.ssh/authorized_keys` and remove everything before your ssh key
+* Allow access to the rest of the team. Install the latest cern-linuxsupport-access and enable it:
+  ```
+  $ yum install http://linuxsoft.cern.ch/cern/centos/8/CERN/x86_64/Packages/cern-linuxsupport-access-1.2-1.el8.cern.noarch.rpm
+  $ cern-linuxsupport-access enable
+  ```
+* `subscription-manager register --username yourrhaccount@cern.ch`. It will ask for your RH access password
+* `subscription-manager repos --list` will list all the repos and their URLs. You can now add those that you need.
 
-1. Download the zip with all certificates
-1. Rename them to the subject (be careful, the following may need to be adapted as Subject format may change)
-```bash
-for i in `ls *.pem`; do  NAME=`openssl x509 -in $i -text | grep -i "Subject:" | sed 's/.*CN *= *\([a-z0-9]\{32\}\).*/\1/'`; mv $i $NAME.pem; done
-```
-3. Proceed with step 2 above, adding the certificates to Teigi.
+## Sample RH nodes
+
+* As of 4/12/2020 these nodes are available for our team:
+  * `lx-rh7-certs` for RHEL 7
+  * `rhel8-sample` for RHEL 8