Productive systems can neither rely on any default keys that were installed with some older version nor on the development and test bootstrapping tools. Certificates must instead be requested and issued by real Certification Authorities (CA), taking care that they fulfill all requirements, and then installed prior to the first start of the system.
...
If IDM has already been used with test certificates, these insecure certificates may have been used. Whenever If object history entries and/or secrets were created with the demo keys, a simple bootstrapping is no longer possible without resigning then after the bootstrapping you must resign the object history (using the batch_re-sign_history tool) and/or re-encrypting encrypt the secrets (using the batch_secretfieldstore_change_encryption_key tool) as described in Change Encryption key of secret field store). The batch_re-sign_history tool is not described anywhere. Need some clarification here!
The first step is to go through the list of all descriptors, and identify for which ones your IDM installation actually needs a proper key. For each descriptor in the list, look up the general requirements. For the descriptors where a placeholder is sufficient, you may as well use the certificates created with the bootstrapping tool. (← is that a good idea? then we may need to change a couple of things, maybe enable selecting which descriptors to actually bootstrap. If all were first bootstrapped and then some overwritten for a prod env, this may compromise some of our checks like not booting etc!) For all the descriptors that need proper keys,