If a new keypair is generated because the old key pair has been compromised or the password used to encrypt the private key is forgotten, the nisupdkeys can be used to update the old public key in the directory objects.
Update the key of one particular server
Update the keys of all the servers that support an NIS+ directory object
Remove a server's public key from the directory object
Update a server's IP address, if that has changed
However, nisupdkeys cannot update the NIS_COLD_START files on the principal workstations. To update their copies of a server's keys, NIS+ clients should run the nisclient command. Or, if the NIS+ cache manager is running and more than one server is available in the coldstart file, the principals can wait until the time-to-live expires on the directory object. When that happens, the cache manager automatically updates the cold-start file. The default time-to-live is 12 hours.
To use the nisupdkeys command, you must have modify rights to the NIS+ directory object.