Like passwords, host keys (and the authorizations they create) should be rotated regularly to limit their exposure to misuse.
Key rotation for server
host keys can be set in the server configuration GUI under Identity tab (see Identity), or it can be set in the server-config.xml
hostkey
element (see
hostkey
).
Once a rotation period has been set for a host key, a newly generated key will replace the old one when the key rotation period ends. A key can be set up with a rotation margin period, which is a time span before the rotation, during which the new key is generated, and advertised to clients. Advertising the new key before key rotation allows clients to be prepared for the changing of the host key. If no rotation period is set, the automatic key rotation is disabled.
The host keys can also be changed manually by generating a new key and/or editing an existing keys' path in the server configuration GUI. For more information, see Identity.