diff --git a/Makefile b/Makefile
index e833eb4..9921cf4 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ docker-run-tests:
 	./test.sh
 
 db:
-	docker-compose up -d db
+	docker compose up -d db
 
 docker-build:
 	docker build -t eu.gcr.io/wire-bot/roman .
diff --git a/README.md b/README.md
index b1be2be..5197939 100644
--- a/README.md
+++ b/README.md
@@ -574,3 +574,7 @@ or directly:
 ## Comprehensive tutorial how to onboard new bot
 
 Step-by-step guide, how to create a simple bot for Roman - [onboarding.md](docs/onboarding.md).
+
+## Comprehensive tutorial how to update the public key after the certificate renewal
+
+Step-by-step guide, how to update bots public key manually - [public-key-refresh.md](docs/public-key-refresh.md).
diff --git a/docs/public-key-refresh.md b/docs/public-key-refresh.md
new file mode 100644
index 0000000..45bd091
--- /dev/null
+++ b/docs/public-key-refresh.md
@@ -0,0 +1,50 @@
+# Update bot public key
+
+When registering a service with the Wire backend, the service needs to specify with certificate it will use for incoming TLS connections. The Wire backend will verify that the certificates match when making TLS requests to the service, and otherwise abort any connection if it doesn’t match.
+
+Periodically, the certificates need to be updated.
+
+## Requirements
+
+- Wire Provider account.
+- Roman instance *(you can use public Roman running [here](https://proxy.services.wire.com/))*, in this guide we will be
+  using [internal staging Roman](https://roman.integrations.zinfra.io/swagger) with URL `https://roman.integrations.zinfra.io`.
+    - Please note that Wire Staging environment is accessible only for the Wire development team and if you create the bot here, you won't
+      be able to use it unless you have access to that environment.
+- A bot already fully onboarded and running. If you don't have one, please check the [onboarding guide](onboarding.md).
+
+You will need to make some API calls, use your favourite tool for that, e.g. [Postman](https://www.postman.com/) or [curl](https://curl.se/).
+The following examples will use `curl` commands, but you can easily adapt them to your tool of choice.
+
+## Commands
+```bash
+curl --request POST \
+  --url https://prod-nginz-https.wire.com/v6/provider/login \
+  --header 'content-type: application/json' \
+  --data '{
+  "email": "$PROVIDER_EMAIL",
+  "password": "$PROVIDER_PASSWORD"
+}'
+```
+Then take the `Set-cookie` value from the response headers and call:
+
+
+```bash
+curl --request GET \
+--url https://prod-nginz-https.wire.com/v6/provider/services \
+--header 'cookie: $COOKIE'
+```
+This will give you the list of services you have on the provider you have registered.
+
+Then for each service you want to update with a new public key:
+```bash
+curl --request PUT \
+--url https://prod-nginz-https.wire.com/v6/provider/services/${SERVICE_ID}/connection \
+--header 'content-type: application/json' \
+--header 'cookie: $COOKIE' \
+--data '{
+"password": "$PROVIDER_PASSWORD",
+"public_keys": [
+"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3xtHqyZPlb0lxlnP0rNA\nJVmAjB1Tenl11brkkKihcJNRAYrnrT/6sPX4u2lVn/aPncUTjN8omL47MBct7qYV\n1VY4a5beOyNiVL0ZjZMuh07aL9Z2A4cu67tKZrCoGttn3jpSVlqoOtwEgW+Tpgpm\nKojcRC4DDXEZTEvRoi0RLzAyWCH/8hwWzXR7J082zmn0Ur211QVbOJN/62PAIWyj\nl5bLglp00AY5OnBHgRNwwRkBJIJLwgNm8u9+0ZplqmMGd3C/QFNngCOeRvFe+5g4\nqfO4/FOlbkM2kYFAi5KUowfG7cdMQELI+fe4v7yNsgrbMKhnIiLtDIU4wiQIRjbr\nZwIDAQAB\n-----END PUBLIC KEY-----\n"
+]
+```
diff --git a/test.sh b/test.sh
index 135e718..7fd23cf 100755
--- a/test.sh
+++ b/test.sh
@@ -2,13 +2,13 @@
 set -x
 
 echo "1/4) Starting test environment..."
-docker-compose up -d db
+docker compose up -d db
 
 echo "2/4) Running tests..."
 DOCKER_BUILDKIT=1 docker build --network host --target export-stage --output backend/target/reports -f Dockerfile.UnitTests .
 
 echo "3/4) Cleaning up test environment..."
-docker-compose stop
+docker compose stop
 
 echo "4/4) Evaluating tests result exit status..."
 EXIT_CODE=`cat backend/target/reports/test.result`