Updating root CA: how

I want to use security connection. I know, that you load your own certificate or I can choose to use Let’s encrypt. Certificate can be powned or outdated. How device update certificate? I need OTA update with 2 certificates (current & next) ?
Thanks a lot!