Kubernetes 1.9.6 and rotating ServiceAccount credentials

We are using Kubernetes 1.96 which we upgraded from 1.7.3. Our controller-manager settings has both the --service-account-private-key-file (which I believe is deprecated/non-functional) AND the --use-service-account-credentials setting. I’m not really sure what the latter does. Are the tokens being signed?

Our apiserver does not explicitly set the --service-account-keyfile so I suppose that its defaulting to our tls-private-key-file setting.

For reasons I won’t go into here, we would like to rotate/refresh all of the service tokens on the cluster. I’ve seen some discussion about this online, however the discussion references the service-account-private-key-file setting on the controller, which I thought was deprecated/non-functional in 1.9.6,

Any help would be appreciated