from wiki

pages/RPKIRootCertExpiry.md

@@ -0,0 +1,29 @@
+# Updating the Expiry Data of an RPKI Root Cert
+
+First, go to the place the cert should be living
+
+```
+cd /usr/share/rpki/publication
+```
+
+Then extract a new cert with a shiny new expiration.
+
+```
+    rpkic extract_root_certificate --output_file foo.cer
+```
+
+Get the key of the new cert and the old cert and compare them
+
+```
+    openssl x509 -inform DER -in foo.cer  -noout -pubkey >foo.key
+    openssl x509 -inform DER -in root.cer -noout -pubkey >old.key
+    diff -qs foo.key old.key
+```
+
+If they're the same, then the foo.cer you just extracted is the replacement for your old root.cer (in which case you might want to set up a cron job to extract it to the old filename, every few months).
+
+finally
+
+```
+cat /usr/share/rpki/publication/altCA.cer > /usr/share/rpki/tal/root.cer 
+```