Renew KES Keys

Typical procedure for renewing KES keys

UPDATED: 12/12/24 to include conway CLI comands

Credits to Earn Coin Pool for documenting the procedure.

Please note: paths in this guide are based on Coincashew guide on how to build a stake pool. Please adjust paths as necessary.

Step 1 - Find the starting KES period

On node run the following commands:

slotNo=$(cardano-cli conway query tip --mainnet | jq -r '.slot')
slotsPerKESPeriod=$(cat $NODE_HOME/${NODE_CONFIG}-shelley-genesis.json | jq -r '.slotsPerKESPeriod')
kesPeriod=$((${slotNo} / ${slotsPerKESPeriod}))
startKesPeriod=${kesPeriod}
echo startKesPeriod: ${startKesPeriod}

Step 2 - Look up Operational Certificate Numbers

There are two different methods you can use, please review and select your preferred method.

When it's time to update your KES you can run the following command on your block producer to confirm you have the correct Operational Certificate Numbers

Note path to node.cert and adjust if needed. Path in example is based off Coincashew guide for setting up a stake pool.

cardano-cli conway query kes-period-info --mainnet  \
  --op-cert-file $NODE_HOME/node.cert

Results should look similar to the following:

✓ The operational certificate counter agrees with the node protocol state counter
✓ Operational certificate's kes period is within the correct KES period interval
{
    "qKesNodeStateOperationalCertificateNumber": 4,
    "qKesCurrentKesPeriod": 505,
    "qKesOnDiskOperationalCertificateNumber": 4,
    "qKesRemainingSlotsInKesPeriod": 6832926,
    "qKesMaxKESEvolutions": 62,
    "qKesKesKeyExpiry": "2022-09-22T21:44:51Z",
    "qKesEndKesInterval": 558,
    "qKesStartKesInterval": 496,
    "qKesSlotsPerKesPeriod": 129600
}

This line is the Operational Certificate that your pool used to mint its last block "qKesNodeStateOperationalCertificateNumber": 4,

This line is the counter number of your current Operational Certificate: "qKesOnDiskOperationalCertificateNumber": 4,

Step 3 - Make a new KES pair

KES files in this example with be created to our $NODE_HOME directory. Adjust if needed.

In this step we will create a new KES pair (kes.vkey and kes.skey)

⚠️ON AIR GAPPED MACHINE: run the following commands:

cd $NODE_HOME
cardano-cli conway node key-gen-KES \
    --verification-key-file kes.vkey \
    --signing-key-file kes.skey

Step 4 - Verify the current value of your node.counter is valid.

⚠️STILL ON AIR GAPPED MACHINE:

navigate to where your node.counter file is. 📁In this example it's located in our home directory in a folder called: cold-keys. So we run this command to output node.counter information.

cat $HOME/cold-keys/node.counter

✍️Take note that "Next certificate issue number: x"

node.counter MUST be ONE greater than the most recently created block's OpCertC or "qKesNodeStateOperationalCertificateNumber" value. Depending which method you used in Step 2

For example, if your OpCertC value is 4 for your last block, then your node.counter should read "Next certificate issue number: 5" Likewise if you used CLI method if "qKesNodeStateOperationalCertificateNumber": 4, our node.counter should read "Next certificate issue number: 5"

If your "Next certificate issue number" is one higher you are all set and can continue to the Step 5.

Step 5 - Create the new node.cert

⚠️STILL ON AIR GAPPED MACHINE: Create a new node.cert file with the following command.

Update <startKesPeriod> with the value from above from Step 1

Then run this command by replacing "<startKesPeriod>" with correct number from Step 1 Example: --kes-period 503 \

cd $NODE_HOME
cardano-cli conway node issue-op-cert \
    --kes-verification-key-file kes.vkey \
    --cold-signing-key-file $HOME/cold-keys/node.skey \
    --operational-certificate-issue-counter $HOME/cold-keys/node.counter \
    --kes-period <startKesPeriod> \
    --out-file node.cert

Step 6 - Copy node.cert and kes.skey back to your block producer node.

Copy your new node.cert and kes.skey file to your block producer node

Step 7 - Restart Node on block producer

Now restart cardano node on your block producer with following command

sudo systemctl restart cardano-node

Step 8 - Check if correct

Once you update your KES you can run the following command on your block producer to confirm you have the correct OpCertC

Note path to node.cert and adjust if needed. Path in example is based off Coincashew guide for setting up a stake pool.

cardano-cli conway query kes-period-info --mainnet  \
  --op-cert-file $NODE_HOME/node.cert

Results should look similar to the following:

✓ The operational certificate counter agrees with the node protocol state counter
✓ Operational certificate's kes period is within the correct KES period interval
{
    "qKesNodeStateOperationalCertificateNumber": 4,
    "qKesCurrentKesPeriod": 505,
    "qKesOnDiskOperationalCertificateNumber": 5,
    "qKesRemainingSlotsInKesPeriod": 6832926,
    "qKesMaxKESEvolutions": 62,
    "qKesKesKeyExpiry": "2022-09-22T21:44:51Z",
    "qKesEndKesInterval": 558,
    "qKesStartKesInterval": 496,
    "qKesSlotsPerKesPeriod": 129600
}

The first line after checks should show last node counter. For our example the last OpCertC number for our last block was 4. So it should read: "qKesNodeStateOperationalCertificateNumber": 4,

Make note of "qKesKesKeyExpiry": date.

Congratulations you did it!

Step 10 - Back up

If update successful:

Best practice recommendation: It's now a good time to make a new backup of your new node.counter file and cold-keys directory to another USB drive or other offline location.

Contributors

Thanks to the following pools for helping to put together these guides. Please consider delegating to their pools to support them. Are you a pool? Consider buying them a coffee

Apex Cardano Pool - Ticker: APEX

Earn Coin Pool - Ticker: ECP

Envy Stake Pool - Ticker ENVY

PGWAD

xSPO Alliance

Last updated