We encountered an issue where due to how the node was restarted it lost its legal identity key from its keystore (but critically the doorman signed key was intact). It had already successfully published this key to the network map and used in transactions by other participants. On restart the node, detecting no legal identity key, generated a new key pair and published that to the network map. Corda is not designed to handled this (yet) and so it caused a whole load of issues, both for itself and the rest of the network.
The simple solution is before generating the new legal identity key pair, check the identity store in the db to see if the node already has a key pair for the same X.500 name. If so prevent the node from starting up (with a good error message why) as we can't allow it to contaminate everyone.