move puppet revocation to the howto section

tsa/howto/puppet.mdwn

@@ -583,6 +583,32 @@ general, it's safe to use `trocla create` as it will reuse existing
 password. It's actually how the `trocla()` function behaves in Puppet
 as well.
 
+
+## Revoking and generating a new certificate for a host
+
+Revocation procedures problems were discussed in:
+
+[#33587]: https://trac.torproject.org/projects/tor/ticket/33587
+[#33446]: https://trac.torproject.org/projects/tor/ticket/33446#comment:17
+
+1. Clean the certificate on the master
+
+`puppet cert clean host.torproject.org
+`
+2. Clean the certificate on the client:
+
+`find /var/lib/puppet/ssl -name host.torproject.org.pem -delete
+`
+
+Then run the bootstrap script on the client from `tsa-misc/installer/puppet-bootstrap-client `
+and get a new checksum
+
+Run `tpa-puppet-sign-client` on the master and pass the checksum.
+
+The client will pick it up from there.
+
+Run `puppet agent -t` to have puppet running on the client again.
+
 # Reference
 
 This documents generally how things are setup.
@@ -745,28 +771,3 @@ hours.
 
 This configuration is in `/etc/cron.d/puppet-crontab` and deployed by
 Puppet itself, currently as part of the `torproject_org` module.
-
-## Revoking and generating a new certificate for a host
-
-Revocation procedures problems were discussed in:
-
-[#33587]: https://trac.torproject.org/projects/tor/ticket/33587
-[#33446]: https://trac.torproject.org/projects/tor/ticket/33446#comment:17
-
-1. Clean the certificate on the master
-
-`puppet cert clean host.torproject.org
-`
-2. Clean the certificate on the client:
-
-`find /var/lib/puppet/ssl -name host.torproject.org.pem -delete
-`
-
-Then run the bootstrap script on the client from `tsa-misc/installer/puppet-bootstrap-client `
-and get a new checksum
-
-Run `tpa-puppet-sign-client` on the master and pass the checksum.
-
-The client will pick it up from there.
-
-Run `puppet agent -t` to have puppet running on the client again.