diff --git a/generate_2fa_keys.md b/generate_2fa_keys.md
new file mode 100644
index 0000000..b1dd672
--- /dev/null
+++ b/generate_2fa_keys.md
@@ -0,0 +1,25 @@
+# How to generate 2 Factor Authentication key and certificate
+
+Doing this requires membership in sysadmin-main FAS group.
+
+All the following commands should be ran on one of batcave hosts.
+
+Clone `ansible-private` repo:
+
+    git clone /srv/git/ansible-private
+
+Change into `files/vpn` subdirectory in cloned repo:
+
+    cd ansible-private/files/2fa-certs
+
+The process is described in the README but is basically:
+
+    . ./vars; ./build-and-sign-key <hostname>
+
+Add generated files to git index, commit, push:
+
+    git status
+    git add .
+    git commit -a -m "Add 2 FA key/cert for <hostname>"
+    git show
+    git push