diff --git a/defaults/main.yml b/defaults/main.yml
index be58c77..ee20661 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -29,8 +29,12 @@ ceph_gpg_keys:
   - key_name: 'ceph'
     keyserver: 'hkp://keyserver.ubuntu.com:80'
     fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
-    hash_id: '0x7ebfdd5d17ed316d'
+    hash_id: '0xe84ac2c0460f3994'
 
+# The apt-key command won't del a key when you give it the hash_id, so we have
+# to use the short key ID here instead.
+ceph_revoked_gpg_keys:
+  - '17ED316D'
 
 # Ceph Repositories
 ceph_apt_repo_url_region: "www"  # or "eu" for Netherlands based mirror
diff --git a/tasks/ceph_preinstall.yml b/tasks/ceph_preinstall.yml
index 6994398..32d3c14 100644
--- a/tasks/ceph_preinstall.yml
+++ b/tasks/ceph_preinstall.yml
@@ -13,6 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Remove revoked ceph apt-keys
+  apt_key:
+    id: "{{ item }}"
+    state: "absent"
+  register: revoke_keys
+  with_items: ceph_revoked_gpg_keys
+  tags:
+    - ceph-apt-keys
+
 - name: Add ceph apt-keys
   apt_key:
     id: "{{ item.hash_id }}"
@@ -52,3 +61,14 @@
   tags:
     - ceph-repos
 
+# This is being added specifically for when a key is revoked, but should apply
+# to other tasks also.  The cache needs updating after changing keys but
+# ceph_install.yml (where packages get installed) only does so if cache > 600
+# seconds.
+- name: Update apt cache
+  apt:
+    update_cache: yes
+  when: revoke_keys|changed or add_keys|changed or add_keys_fallback|changed or add_repos|changed
+  tags:
+    - ceph-apt-keys
+    - ceph-repos