Bootstrapping of the sign and encrypt engine must be done before the system is used for the first time. Bootstrapping of productive systems involves use of various certificate authorities to generate keys and issue certificates used by IDM.
...
Productive systems can neither rely on any default keys that were installed with some older version nor on the development and test bootstrapping tools. Certificates must instead be requested and issued by real Certification Authorities (CA), taking care that they fulfill all requirements, and then installed prior to the first start of the system.Bootstrapping of the sign and encrypt engine must be done before the system is used for the first time.
If IDM has already been used with test certificates, these insecure certificates may have been used. If object history entries and/or secrets were created with the demo keys, then after the bootstrapping you must resign the object history (using the batch_re-sign_history tool) and/or re-encrypt the secrets (using the batch_secretfieldstore_change_encryption_key tool) as described in Change Encryption key of secret field store).
...