--- title: Rotating a CA description: Rotate the certificate authority (CA) used by an agent while minimizing the impact to agent communications. component: pingaccess version: 9.0 page_id: pingaccess:agents_and_integrations:pa_iis_rotating_a_ca canonical_url: https://docs.pingidentity.com/pingaccess/9.0/agents_and_integrations/pa_iis_rotating_a_ca.html revdate: February 6, 2023 section_ids: steps: Steps example: Example: --- # Rotating a CA Rotate the certificate authority (CA) used by an agent while minimizing the impact to agent communications. ## Steps 1. On the agent web server, update the `agent.properties` file to add the new CA certificate. 1. Concatenate the old and new CA certificates in PEM encoding format into a new file. 2. Encode the contents of the file to Base64. 3. Open the `agent.properties` file and set the value of the `agent.engine.configuration.bootstrap.truststore` line to the encoded content. ### Example: ``` agent.engine.configuration.bootstrap.truststore= ``` 2. Restart the agent web server. 3. Update the PingAccess configuration to use a new server certificate signed by the new CA for the agent HTTPS listener. 1. Identify a key pair to use. If necessary, create a new key pair. Learn more in [Generating new key pairs](../pingaccess_user_interface_reference_guide/pa_generating_new_key_pairs.html). 2. Generate a CSR for that key pair. Learn more in [Generating certificate signing requests](../pingaccess_user_interface_reference_guide/pa_generating_certificate_signing_requests.html). 3. Submit that CSR to the new CA to get a new signed certificate. 4. Import the CSR response (the new certificate) into PingAccess. Learn more in [Importing certificates](../pingaccess_user_interface_reference_guide/pa_importing_certificates.html). 5. Assign the key pair to the agent HTTPS listener. Learn more in [Assigning key pairs to HTTPS listeners](../pingaccess_user_interface_reference_guide/pa_assigning_key_pairs_to_https_listeners.html).