3 files changed, 17 insertions, 1 deletions

diff --git a/doc/doc.RPKI.CA.Configuration.rootd b/doc/doc.RPKI.CA.Configuration.rootd
index 678e2edf..f27bdd15 100644
--- a/doc/doc.RPKI.CA.Configuration.rootd
+++ b/doc/doc.RPKI.CA.Configuration.rootd
@@ -142,7 +142,11 @@ generate a root certificate as follows:
   $ openssl x509 -req -sha256             \
           -signkey root.key -in root.req  \
           -outform DER -out root.cer      \
-          -extfile root.conf -extensions x509v3_extensions
+          -extfile root.conf -extensions x509v3_extensions \
+          -days 1825
+
+You may want to shorten the five year expire time (1825 days), which is a bit
+long. It is a root certificate, so a longer expire is not unusual.
 
 The generated root.cer must be copied to the publication directory as defined
 in rpki.conf,
diff --git a/doc/doc.RPKI.CA.UI.GUI b/doc/doc.RPKI.CA.UI.GUI
index 89df1d0a..4b887e60 100644
--- a/doc/doc.RPKI.CA.UI.GUI
+++ b/doc/doc.RPKI.CA.UI.GUI
@@ -120,6 +120,18 @@ In addition, your rcynic script should also have
 
 after the rcynic run.
 
+****** Expiration Checking ******
+
+The web portal can notify users when it detects that RPKI certificates will
+expire in the near future. Run the following script as a cron job, perhaps once
+a night:
+
+  /usr/local/sbin/rpkigui-check-expired
+
+By default it will warn of expiration 14 days in advance, but this may be
+changed by using the -t command line option and specifying how many days in
+advance to check.
+
 ****** Using the GUI ******
 
 ****** GUI Examples ******
diff --git a/doc/manual.pdf b/doc/manual.pdf
index 556dd130..8f6912cf 100644
--- a/doc/manual.pdf
+++ b/doc/manual.pdf