diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
index 555b070..593cda5 100644
--- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
+++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java
@@ -1,6 +1,8 @@
 package com.mx.path.service.facility.security.vault;
 
 import java.nio.charset.StandardCharsets;
+import java.time.LocalDateTime;
+import java.time.ZoneOffset;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.Map;
@@ -8,9 +10,11 @@
 
 import javax.annotation.Nullable;
 
+import com.google.common.collect.ImmutableMap;
 import lombok.Getter;
 import lombok.Setter;
 
+import com.bettercloud.vault.SslConfig;
 import com.bettercloud.vault.Vault;
 import com.bettercloud.vault.VaultConfig;
 import com.bettercloud.vault.VaultException;
@@ -116,6 +120,9 @@ public final void rotateKeys() {
       return;
     }
 
+    LOGGER.info("rotateKeys.currentKeyVersion = " + key.currentKeyVersion());
+    LOGGER.info("rotateKeys.numKeysToKeep = " + configuration.getNumKeysToKeep());
+    LOGGER.info("rotateKeys.minDecryptVersion = " + (key.currentKeyVersion() - configuration.getNumKeysToKeep()));
     int minDecryptVersion = key.currentKeyVersion() - configuration.getNumKeysToKeep();
 
     if (minDecryptVersion < 1) {
@@ -137,6 +144,7 @@ final Vault buildVaultDriver(@Nullable String authToken) {
           .token(authToken)
           .engineVersion(configuration.getEngineVersion())
           .address(configuration.getUri())
+//          .sslConfig(new SslConfig().verify(false).build())
           .build();
 
       Vault newDriver = new Vault(vaultConfig);
@@ -197,7 +205,14 @@ final VaultTransitKey loadKey() {
    */
   final void setMinDecryptionVersion(int minDecryptionVersion) {
     try {
-      VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), Collections.singletonMap("min_decryption_version", minDecryptionVersion));
+      //FIXME this is not setting `min_encryption_version` or `min_available_version`
+      //FIXME should `min_available_version` and `min_decyprtion_version` always be the same and `min_encryption_version` be ahead?
+//      VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), Collections.singletonMap("min_decryption_version", minDecryptionVersion));
+      VaultResponse response = logicalWriteWithReauthentication("transit/keys/" + configuration.getKeyName(), ImmutableMap.of(
+             "min_decryption_version", minDecryptionVersion,
+             "min_encryption_version", minDecryptionVersion,
+              "min_available_version", minDecryptionVersion
+      ));
       validateVaultOperationResponse(response, "Unable to update vault key");
     } catch (RuntimeException e) {
       LOGGER.warn("Unable to update vault key", e);