Manual KMS key rotation

Canton keys can still be manually rotated even if they are externally stored in a KMS. To do that you can use the standard rotate key commands or, if you already have a pre-generated KMS key to rotate to, run the following command:

val newSigningKey = participant1.keys.secret
  .rotate_kms_node_key(
    keyFingerprint,
    newKmsKeyId,
  )

No current KMS service offers automatic rotation of asymmetric keys so the node operator needs to be responsible for periodically rotating these keys.