e.g. have two root certs (primary and secondary). every 30(?) minutes: 1) remote secondary from trusted roots 2) move primary to secondary 3) create new primary and add it to trusted roots 4) sign with primary
e.g. have two root certs (primary and secondary). every 30(?) minutes: