Key rotation is the planned replacement of an old cryptographic key with a new one. Security teams rotate keys to limit the damage if a key is exposed, to retire weak or expired keys, and to keep trust systems aligned with current policy. The old key is usually revoked or phased out while the new key is distributed and approved.
In cyber security, key rotation is common for code signing, TLS certificates, API credentials, and encryption keys. For software updates, administrators may need to import a new signing key before verifying packages, so the trust store matches the publisher’s current identity. If rotation is skipped or delayed, legitimate updates can fail validation; if an attacker gets an old key, rotating quickly helps cut off its value for signing forged files or impersonating trusted software.



