doc: Revoke and Renew, update for Easy-RSA v3.2.1 - Renew CA

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>

doc/EasyRSA-Renew-and-Revoke.md

@@ -190,4 +190,45 @@ an old certificate/key pair, which has been _rebuilt_ by command `rebuild`.
 Renew CA Certificate
 ====================
 
-TBD
+Easy-RSA Version 3.2.1+ supports a simple way to effectively renew a CA Certificate.
+
+**Preamble** - Specifically for use with OpenVPN:
+
+When a CA certificate expires it must be replaced, this is unavoidable.
+No matter what method is used to create a new or renewed CA certificate,
+that CA certificate must be distributed to all of your servers and clients.
+
+Please consider the method outlined here, which requires very little work:
+
+1. Make a backup of your current PKI, **before you do anything else.**
+
+2. Use command `init-pki soft`
+
+   This will reset your current PKI but will keep your `vars` setting file and
+   your current Request files [CSR], in the `pki/reqs` directory.
+
+3. Use command `build-ca`
+
+   (With or without password and other preferences)
+
+   This will build a completely new CA Certificate and private key.
+
+   Use option `--days` to extend the lifetime of your new CA.
+
+4. Use command `sign-req <TYPE> <NAME>`
+
+   (With or without other preferences, password is not relavent)
+
+   This will sign your existing request for each certificate that you choose.
+
+   This will NOT generate new private keys for each new certificate.
+
+   This will generate new `inline` files that can be distributed publicly.
+   These `inline` files will not contain any security sensitive data.
+
+   This means that you will have a new CA certificate and private key.
+   And signed certificates for all of your users, including servers.
+
+5. Distribute the new `inline` files to all members of your PKI/VPN.
+
+   This is one of the simplest ways to renew your CA certificate.