afaik military and likely police radios dont talk to a central server or anything like in the world of internet. hence some things logical on the internet ate very impractical if not impossible or too risky (single points of failure).

its an interesting domain but hard to get solid info on unless you are working on these types of projects or for some MoD somewhere. most info out there on the net is about old tech.

as far as i know preshared keys are common. hard to rekey ofc in case of compromise so likely they have some tricks up their sleeves to make sure if for instance a unit is overtaken by enemy not all coms are compromised by this key in the device. (guesswork here ofc..) dont think much of this stuff uses priv/pub keys and https or vpn like auth schemes etc.

Pre-shared, static keys are unfortunately quite common. However, the P25 standard does provide for re-keying over they air through a process known as OTAR (Over The Air Re-keying).

To put it very simply, radios communicate with a central Key Management Facility (KMF) using a special key (UKEK, Unique Key Encryption Key) to securely transport the new key material. There's more to it than that, of course, but these features are heavily used by the feds and also by larger state and local systems -- because manually re-keying each radio is a huge pain.