First of all, you should realise that changing the keys will cause a change in the root certificate and all previously issued certificates may be impacted. This impact can be managed and we will write about it a bit more.
However, if you feel that a key(s) need to be changed, there is a simple way to do it. The PKI system uses a set of three keys and you can update each of them with a single command:
sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 2048 signKey 0
or
sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 2048 defaultKey 0
or
sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 1024 testKey 0
The length of RSA keys is currently limited to a selection of either 1024 or 2048 bits.