# Updating the Expiry Data of an RPKI Root Cert

First, go to the place the cert should be living

```
cd /usr/share/rpki/publication
```

Then extract a new cert with a shiny new expiration.

```
    rpkic extract_root_certificate --output_file foo.cer
```

Get the key of the new cert and the old cert and compare them

```
    openssl x509 -inform DER -in foo.cer  -noout -pubkey >foo.key
    openssl x509 -inform DER -in root.cer -noout -pubkey >old.key
    diff -qs foo.key old.key
```

If they're the same, then the foo.cer you just extracted is the replacement for your old root.cer (in which case you might want to set up a cron job to extract it to the old filename, every few months).

finally

```
cat /usr/share/rpki/publication/altCA.cer > /usr/share/rpki/tal/root.cer 
```