rip HPKP out of the main LE procedure

HPKP has been removed from Chromium in 2017: https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/

rip HPKP out of the main LE procedure
93614928 · anarcat · a97e6965 · 93614928
Verified Commit 93614928 authored 4 years ago by anarcat
--- a/tsa/howto/tls.mdwn
+++ b/tsa/howto/tls.mdwn
@@ -21,31 +21,7 @@ manage the related [X.509](https://en.wikipedia.org/wiki/X.509) certificates tha
    
        $EDITOR domains

- 3. Generate backup [HPKP][] keys for Public key pinning:
-
-    HPKP is generally considered DEPRECATED so this section should
-    generally be skipped.
-
-        ./bin/manage-backup-keys create
-
-    See `tor-passwords/000-backup-keys` for the passphrase when prompted.
-
-    The private key is a backup RSA certificate that can be used to rotate
-    HTTPS certificates in case of a compromise, while respecting the pins
-    sent as `Public-Key-Pins` headers.
-
- 4. Push the new key to the backup-keys repo:
-
-        cd backup-keys
-        git status
-        git add $yourfiles
-        git commit
-        git push
-        cd ..
-
-[HPKP]: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
-
- 5. Push the updated domain list to the letsencrypt-domains repo
+ 3. Push the updated domain list to the letsencrypt-domains repo

        git diff domains
        git add domains
@@ -102,6 +78,36 @@ Then remove the file.

 # How-to

+## Enabling HPKP
+
+HPKP is generally considered DEPRECATED. It has been [disabled in
+Google Chrome in 2017](https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/) and should generally not be used anymore.
+
+This section should generally be skipped unless you *really* need key
+pinning for some obscure reason.
+
+ 1. To generate backup [HPKP][] keys, use the script provided in the
+    `domains.git` repository:
+
+        ./bin/manage-backup-keys create
+
+    See `tor-passwords/000-backup-keys` for the passphrase when prompted.
+
+    The private key is a backup RSA certificate that can be used to
+    rotate HTTPS certificates in case of a compromise, while
+    respecting the pins sent as `Public-Key-Pins` headers.
+
+ 2. Push the new key to the backup-keys repo:
+
+        cd backup-keys
+        git status
+        git add $yourfiles
+        git commit
+        git push
+        cd ..
+
+[HPKP]: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
+
 ## Disabling HPKP

 To disable key pinning ([HPKP][]) on a given domain, just remove the