diff --git a/README.org b/README.org
index 13579ad..95ad142 100644
--- a/README.org
+++ b/README.org
@@ -1,6 +1,6 @@
 * NixOS
 ** [[file:docs/install.org][Installing]]
-** Rebuilding
+*** Rebuilding
 #+BEGIN_SRC bash
 sudo nixos-rebuild switch --impure --flake ".#${HOST}"
 #+END_SRC
diff --git a/docs/consul.org b/docs/consul.org
index 6a416db..fcc97bf 100644
--- a/docs/consul.org
+++ b/docs/consul.org
@@ -1,6 +1,6 @@
 #+title: Consul
 * Server setup
-** Create a server keypair
+** Create a server keypair <<create_keypair>>
 Decrypt the CA (from the agenix secrets)
 #+begin_src bash
 agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca.pem.age > ~/tmp/consul-agent-ca.pem
@@ -78,3 +78,10 @@ JSON config:
   }
 }
 #+end_src
+* Renew expired certificates
+** Find the expired certificate
+#+begin_src
+openssl x509 -in /etc/consul.d/certs/samfelag-server-consul.pem -enddate -noout
+#+end_src
+
+Follow the steps described in [[create_keypair][Create a server keypair]].
diff --git a/secrets/consul.d/samfelag-server-thingvellir-key.pem.age b/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
index cb10845..760023e 100644
Binary files a/secrets/consul.d/samfelag-server-thingvellir-key.pem.age and b/secrets/consul.d/samfelag-server-thingvellir-key.pem.age differ
diff --git a/secrets/consul.d/samfelag-server-thingvellir.pem.age b/secrets/consul.d/samfelag-server-thingvellir.pem.age
index d517710..1c3e824 100644
Binary files a/secrets/consul.d/samfelag-server-thingvellir.pem.age and b/secrets/consul.d/samfelag-server-thingvellir.pem.age differ