Replacing a secret key in three steps: generate a new one, swap it in everywhere the old one was used, then revoke the old one so it stops working. Revoking the old key is the step that actually closes the security hole.