When a roaming communication unit (15) requires an updated encryption key to ensure continued secure communications with other communication units of its home system, it transmits a rekey request to a base site (16) for the system (14) in which it has a presence. The latter provides the rekey request to a key management facility (17) for that system. This key management facility, in turn, provides the rekey request to the key management facility (13) for the roaming communication unit's home system (10). The latter then forwards a rekeying message that includes a rekeying encryption key to the roaming communication unit (15) with the second system's key management facility (17) acting as an intermediary. In a preferred embodiment, the rekey message is encrypted using an encryption key that is presently available to the roaming communication unit but not to the second system's key management facility. Therefore, although the latter acts as an intermediary to facilitate the rekeying process, the latter is not able to decrypt the rekeying message and thereby gain access to the encryption key or keys of the roaming communication unit's home system.