First of all, you should realise that changing the keys will cause a change in the root certificate and all previously issued certificates may be impacted. This impact can be managed and we will write about it a bit more.

However, if you feel that a key(s) need to be changed, there is a simple way to do it. The PKI system uses a set of three keys and you can update each of them with a single command:

 sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/ generate /usr/lib64/softhsm/ 2048 signKey 0


 sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/ generate /usr/lib64/softhsm/ 2048 defaultKey 0


 sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/ generate /usr/lib64/softhsm/ 1024 testKey 0

The length of RSA keys is currently limited to a selection of either 1024 or 2048 bits.