How to update KES key to an active running pool?

We all know that we need to update KES key periodically on the mainnet. However I don’t find an authorative description for this process. Here is my understanding. Can someone confirm so that we are sure we are not missing anything?

  • create a new pair of kes key (kes.skey, kes.vkey)
    cardano-cli node key-gen-KES \
        --verification-key-file kes.vkey \
        --signing-key-file kes.skey
  • re-generate node certificate
    cardano-cli node issue-op-cert \
        --kes-verification-key-file kes.vkey \
        --cold-signing-key-file node.skey \
        --operational-certificate-issue-counter node.counter \
        --kes-period  ${startKesPeriod}\
        --out-file node.cert
  • copy all 3 files over to producer node and restart cardano-node service.


Seems alright.
this gives you the startKesPeriod and has to be run on online synced note = not the one where you keep your node.skey and node.counter

slotsPerKESPeriod=$(cat NODE_HOME/{NODE_CONFIG}-shelley-genesis.json | jq -r ‘.slotsPerKESPeriod’)

slotNo=$(cardano-cli query tip --mainnet | jq -r ‘.slot’)

startKesPeriod=(({slotNo} / ${slotsPerKESPeriod}))

1 Like

yes, once you have the KesPeriod as @Triton-pool suggest you are good to go, here is the description for this process from Cardano project site: