Automatic certificate management and updating

Two certificates should be available (old and new) to ensure proper switchover when the old certificate expires. CA certificates are usually valid for 10 years.
Maybe there should also be the possibility to update the certificate over the air?