Hello,
we are trying to rekey old principals and get rid of the old `des-*`
enctypes, possibly without any service downtime. So far we've been able
to come up with rekeying procedure for service principals using
ktutils+kadmin (
https://github.com/bodik/rekey/blob/master/rekey.py#L415)
Now I'm little bit wondering how to rollover the krbtgt principal, I've
found `cpw --keepold` functionality which nicely adds a new keys
(kvno+1) for existing principal with requested keytypes ([kadmin]
default_keys), but i cannot find a way how to selectively delete the old
key by kvno...
any advice would be very apprecitated
Best regards
Radoslav Bodo