From d0d9eaa9e5c35da5cb599d148e557115f5b768b4 Mon Sep 17 00:00:00 2001
From: Randy Bush <randy@psg.com>
Date: Mon, 15 May 2017 09:33:39 +0900
Subject: instructions on renewing root cert

---
 doc/quickstart/xenial-ca.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'doc/quickstart/xenial-ca.md')

diff --git a/doc/quickstart/xenial-ca.md b/doc/quickstart/xenial-ca.md
index d1975def..4a4c542b 100644
--- a/doc/quickstart/xenial-ca.md
+++ b/doc/quickstart/xenial-ca.md
@@ -474,3 +474,17 @@ There are other tools which will let you examine the ASN.1 if you have
 some reason to do so, but in this case it's not all that interesting,
 any valid RPKI root key will have identical values for all but one
 field of the ASN.1, and that field is a 2048-bit hexadecimal integer.
+
+## Renewing the Root Certificate
+
+By default, the root certificate has a one year expiration.  The
+software does not refresh the copy on disk automatically.  Therefore it
+would be good to put in a cron job something such as the following:
+
+```
+$ rpkic extract_root_certificate --output_file /usr/share/rpki/tal/root.cer
+```
+
+Note that the directory and filename will likely need to be adjusted for
+your configuration.  What does the TAL you publish say the filename and
+location are?
-- 
cgit v1.2.3