Renew KES Keys
Typical procedure for renewing KES keys
UPDATED: 12/12/24 to include conway CLI comands
Step 1 - Find the starting KES period
On node run the following commands:
slotNo=$(cardano-cli conway query tip --mainnet | jq -r '.slot')
slotsPerKESPeriod=$(cat $NODE_HOME/${NODE_CONFIG}-shelley-genesis.json | jq -r '.slotsPerKESPeriod')
kesPeriod=$((${slotNo} / ${slotsPerKESPeriod}))
startKesPeriod=${kesPeriod}
echo startKesPeriod: ${startKesPeriod}
Write down this number you will need it when you run the steps on your Air Gapped Machine.
Step 2 - Look up Operational Certificate Numbers
There are two different methods you can use, please review and select your preferred method.
When it's time to update your KES you can run the following command on your block producer to confirm you have the correct Operational Certificate Numbers
cardano-cli conway query kes-period-info --mainnet \
--op-cert-file $NODE_HOME/node.cert
Results should look similar to the following:
✓ The operational certificate counter agrees with the node protocol state counter
✓ Operational certificate's kes period is within the correct KES period interval
{
"qKesNodeStateOperationalCertificateNumber": 4,
"qKesCurrentKesPeriod": 505,
"qKesOnDiskOperationalCertificateNumber": 4,
"qKesRemainingSlotsInKesPeriod": 6832926,
"qKesMaxKESEvolutions": 62,
"qKesKesKeyExpiry": "2022-09-22T21:44:51Z",
"qKesEndKesInterval": 558,
"qKesStartKesInterval": 496,
"qKesSlotsPerKesPeriod": 129600
}
If these number are NOT the same, as for the example above NodeState=4 and OnDisk=5 then you need to rollback your counter. In this case the node counter would need to be rolled back from 5 to 4
Also If you have never made a block then you will need to rollback your counter to 0
To rollback your counter see our guide here If, for example, NodeState and OnDisk =4, then you are all set and can proceed.
Write down this number you will need it when you run the steps on your Air Gapped Machine.
Step 3 - Make a new KES pair
In this step we will create a new KES pair (kes.vkey and kes.skey)
⚠️ON AIR GAPPED MACHINE: run the following commands:
cd $NODE_HOME
cardano-cli conway node key-gen-KES \
--verification-key-file kes.vkey \
--signing-key-file kes.skey
Step 4 - Verify the current value of your node.counter is valid.
⚠️STILL ON AIR GAPPED MACHINE:
navigate to where your node.counter file is. 📁In this example it's located in our home directory in a folder called: cold-keys. So we run this command to output node.counter information.
cat $HOME/cold-keys/node.counter
✍️Take note that "Next certificate issue number: x"
For example, if your OpCertC value is 4 for your last block, then your node.counter should read "Next certificate issue number: 5" Likewise if you used CLI method if "qKesNodeStateOperationalCertificateNumber": 4, our node.counter should read "Next certificate issue number: 5"
If your "Next certificate issue number" is one higher you are all set and can continue to the Step 5.
Step 5 - Create the new node.cert
⚠️STILL ON AIR GAPPED MACHINE: Create a new node.cert file with the following command.
Update <startKesPeriod> with the value from above from Step 1
Then run this command by replacing "<startKesPeriod>" with correct number from Step 1 Example: --kes-period 503 \
cd $NODE_HOME
cardano-cli conway node issue-op-cert \
--kes-verification-key-file kes.vkey \
--cold-signing-key-file $HOME/cold-keys/node.skey \
--operational-certificate-issue-counter $HOME/cold-keys/node.counter \
--kes-period <startKesPeriod> \
--out-file node.cert
Step 6 - Copy node.cert and kes.skey back to your block producer node.
Copy your new node.cert and kes.skey file to your block producer node
Step 7 - Restart Node on block producer
Now restart cardano node on your block producer with following command
sudo systemctl restart cardano-node
Step 8 - Check if correct
Once you update your KES you can run the following command on your block producer to confirm you have the correct OpCertC
cardano-cli conway query kes-period-info --mainnet \
--op-cert-file $NODE_HOME/node.cert
Results should look similar to the following:
✓ The operational certificate counter agrees with the node protocol state counter
✓ Operational certificate's kes period is within the correct KES period interval
{
"qKesNodeStateOperationalCertificateNumber": 4,
"qKesCurrentKesPeriod": 505,
"qKesOnDiskOperationalCertificateNumber": 5,
"qKesRemainingSlotsInKesPeriod": 6832926,
"qKesMaxKESEvolutions": 62,
"qKesKesKeyExpiry": "2022-09-22T21:44:51Z",
"qKesEndKesInterval": 558,
"qKesStartKesInterval": 496,
"qKesSlotsPerKesPeriod": 129600
}
The third line should match the next certificate issue number that we wanted. So, for our example it needed to be 5, ONE number higher than the OpCertC of 4. So it should look like: "qKesOnDiskOperationalCertificateNumber": 5,
Congratulations you did it!
Step 10 - Back up
If update successful:
Contributors
Thanks to the following pools for helping to put together these guides. Please consider delegating to their pools to support them. Are you a pool? Consider buying them a coffee
Last updated