From d9839a0736cb71744ddae11a1d7253cf28c1d45b Mon Sep 17 00:00:00 2001
From: Randy Bush <randy@psg.com>
Date: Sat, 4 Jul 2020 15:35:04 -0700
Subject: [PATCH] from wiki

---
 pages/RPKIRootCertExpiry.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 pages/RPKIRootCertExpiry.md

diff --git a/pages/RPKIRootCertExpiry.md b/pages/RPKIRootCertExpiry.md
new file mode 100644
index 0000000..68a6737
--- /dev/null
+++ b/pages/RPKIRootCertExpiry.md
@@ -0,0 +1,29 @@
+# Updating the Expiry Data of an RPKI Root Cert
+
+First, go to the place the cert should be living
+
+```
+cd /usr/share/rpki/publication
+```
+
+Then extract a new cert with a shiny new expiration.
+
+```
+    rpkic extract_root_certificate --output_file foo.cer
+```
+
+Get the key of the new cert and the old cert and compare them
+
+```
+    openssl x509 -inform DER -in foo.cer  -noout -pubkey >foo.key
+    openssl x509 -inform DER -in root.cer -noout -pubkey >old.key
+    diff -qs foo.key old.key
+```
+
+If they're the same, then the foo.cer you just extracted is the replacement for your old root.cer (in which case you might want to set up a cron job to extract it to the old filename, every few months).
+
+finally
+
+```
+cat /usr/share/rpki/publication/altCA.cer > /usr/share/rpki/tal/root.cer 
+```
\ No newline at end of file