diff --git a/router/java/src/net/i2p/router/Router.java b/router/java/src/net/i2p/router/Router.java
index 26271f10c021ac90b4f7815734aae46344ada44c..bdc107ff60992ad6f251f9c4409aeed1810c93e9 100644
--- a/router/java/src/net/i2p/router/Router.java
+++ b/router/java/src/net/i2p/router/Router.java
@@ -114,8 +114,8 @@ public class Router implements RouterClock.ClockShiftListener {
     public final static String PROP_DYNAMIC_KEYS = "router.dynamicKeys";
     /** deprecated, use gracefulShutdownInProgress() */
     private final static String PROP_SHUTDOWN_IN_PROGRESS = "__shutdownInProgress";
-    private static final String PROP_IB_RANDOM_KEY = TunnelPoolSettings.PREFIX_INBOUND_EXPLORATORY + TunnelPoolSettings.PROP_RANDOM_KEY;
-    private static final String PROP_OB_RANDOM_KEY = TunnelPoolSettings.PREFIX_OUTBOUND_EXPLORATORY + TunnelPoolSettings.PROP_RANDOM_KEY;
+    public static final String PROP_IB_RANDOM_KEY = TunnelPoolSettings.PREFIX_INBOUND_EXPLORATORY + TunnelPoolSettings.PROP_RANDOM_KEY;
+    public static final String PROP_OB_RANDOM_KEY = TunnelPoolSettings.PREFIX_OUTBOUND_EXPLORATORY + TunnelPoolSettings.PROP_RANDOM_KEY;
     private final static String DNS_CACHE_TIME = "" + (5*60);
     private static final String EVENTLOG = "eventlog.txt";
     private static final String PROP_JBIGI = "jbigi.loadedResource";
@@ -621,6 +621,7 @@ public class Router implements RouterClock.ClockShiftListener {
 
         synchronized(_configFileLock) {
             // persistent key for peer ordering since 0.9.17
+            // These will be replaced in CreateRouterInfoJob if we rekey
             if (!_config.containsKey(PROP_IB_RANDOM_KEY)) {
                 byte rk[] = new byte[32];
                 _context.random().nextBytes(rk);
diff --git a/router/java/src/net/i2p/router/startup/CreateRouterInfoJob.java b/router/java/src/net/i2p/router/startup/CreateRouterInfoJob.java
index 47f5921dcc73327aa5e18b76af92ee605082d8dd..01ec4ce977d4f66c44f2f02e0e1ee82f9732d0ab 100644
--- a/router/java/src/net/i2p/router/startup/CreateRouterInfoJob.java
+++ b/router/java/src/net/i2p/router/startup/CreateRouterInfoJob.java
@@ -13,9 +13,12 @@ import java.io.File;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.security.GeneralSecurityException;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Properties;
 
 import net.i2p.crypto.SigType;
+import net.i2p.data.Base64;
 import net.i2p.data.Certificate;
 import net.i2p.data.DataFormatException;
 import net.i2p.data.DataHelper;
@@ -144,6 +147,15 @@ public class CreateRouterInfoJob extends JobImpl {
                                                     privkey, signingPrivKey, padding);
             pkf.write();
             
+            // set or overwrite old random keys
+            Map<String, String> map = new HashMap<String, String>(2);
+            byte rk[] = new byte[32];
+            getContext().random().nextBytes(rk);
+            map.put(Router.PROP_IB_RANDOM_KEY, Base64.encode(rk));
+            getContext().random().nextBytes(rk);
+            map.put(Router.PROP_OB_RANDOM_KEY, Base64.encode(rk));
+            getContext().router().saveConfig(map, null);
+
             getContext().keyManager().setKeys(pubkey, privkey, signingPubKey, signingPrivKey);
             
             if (_log.shouldLog(Log.INFO))