Comment: Potentially a new article?
Bootstrapping of the sign and encrypt engine must be done before the system is used for the first time. Bootstrapping of production systems involve use of various certificate authorities to generate keys and issue certificates used by Identity Manager.
...
if any object history entries exist, they must be resigned by using the batch_re-sign_history tool.
if any secrets exist in the database, they must be re-encrypted by using the batch_secretfieldstore_change_encryption_key tool as described in Change Encryption encryption key of secret field store.
any previously exported configuration’s signature will not be verifiable.
any previously encrypted exported configuration will not be readable.
...