Signing a Rollover Certificate

One way to handle update of trust points when renewing a Root CA is to generate a certificate that contains the new key signed with the old key. For X.509 CAs you can create such a certificate by checking "Create link certificate" before renewing the CA. The latest link certificate can then be downloaded from the edit CA view.

For CVC CAs a link certificate is always generated during the renewal.