KES - Can't rotate my KES keys

Hi all,
It’s not the first time I am rotating my keys, but this time for an unknown reason I can’t rotate them.
There is probably something I am doing wrong but I don’t see what.

I used the latest and followed each step on my producer node and on my air-gap machine. Everything seems to be correct, kes period, counter values. Nothing showing me that something went wrong renewing the node.cert.

But from journalctl, I still can see after restarting my block producer : Operational key will expire in 7 KES periods
Any idea what else should I check ?


hmm… do you wanna give the Stakepool Operator Scripts a try?

You can find them here:

You only need the and set your enviroment in the first few lines.

And than the script 04c and 04d to rotate the kes keys and generate a new opcert.

All thats needed is to have the pool keys in the right naming format like:

And than you can run script 04c and 04d.

With your current setup, the keys for the blockproducer must be in chmod 400 xxx access. So only the owner can read them. Maybe you have not really overwritten the old files with the new ones because of this? Try to set it to chmod 600 xxx first and retry it to update them.

Best regards, Martin

Hi Martin,

Thanks for your answer.

I have been redoing the operation setting keys and cert 600 to be sure they are overwritten. Unfortunately, the result is the same restating the node producer.
Yes I know for the +wrx access on Linux, but I didn’t have that problem before.

You wrote the keys must have the format:
xxx.node.skey … what means in your naming convention the xxx prefix ?

I checked the, and I really use only the very first lines of the environment. Is it a problem?

Kind regards, Olivier

Yes you just need to set a few things in the file, the cardano-cli/node and the genesisfiles are important in your case.

With xxx.node.skey, the xxx must be a name of your choice like mypool.node.skey

You than call the script 04c like ./ mypool cli to generate new kes keys for the pool mypool as normal cli-keys (not encrypted).

And the same goes for 04d like ./ mypool to generate the new opcert. If the machine has online access or a running node, the script will check the latest opcert counter on chain and increment it by one for the new opcert. If this is on an offline machine, please check your current opcert counter number first using for example and look at your produced blocks, there you find the opcert number. Than you can force the script to use this given opcertcounter number as the next one like: ./ mypool <number>. The time/clock of the machine must be correct to do so.

You can find all kinds of examples and how-to in the readme here too:

Please give it a try.

Looking forward to your outcome… best regards, Martin.


Are you sure you’re using the new node.cert on your BP after copying it from your air-gapped node to your BP ?

Hello Kirael,

Yes 100% sure. I can easily check the node.cert values inside.

I will give a try somewhere tomorrow.

I had the same issue a few months ago, and I realized I missed something to do at that time. But this time I don’t see what I missed. I checked the kes.vkey, skey content values and I am sure they were correctly copied to generate the new node.cert file and the node.cert file generated was correctly copied to my block producer. Also, and I will check it again, the counter value on my air-gapped machine is +1 compared to my block producer. I never minted a block, the null value is correct for qKesNodeStateOperationalCertificateNumber.

I hesitated to open this topic on the forum as I tried many times to rotate the keys without luck.
Thx all.

Kind regards.

FYI i wrote the script you re using (for coincashew setups).

I’m using it every time i have to rotate my cert and kes keys.

Let me know if you need help, we can check together your setup.


I tried your script, but I have errors on the checkError and file_lock commands. I use 2 separated virtual machines having no connection between them. I am transferring the files using sftp manually.

It’s the first time I am using your script. Your script is perfectly running fine. I am following the instructions and running manually the node cert creation. In between, the kes keys are copied using sftp to my air-gapped machine offline and the node cert is copied the same way to the node producer.

I think I might need help to check my setup.
But really, I don’t see what as changed that I can’t rotate the keys.
Thx to both of you.

hard to say, but if file_lock throws an error, it looks like you’re not using it as the correct user. maybe you don’t have the rights to do a chmod? file_lock is just doing that, setting the file via chmod to 400

best regards,

Hi Martin,

Thx for your answer.
No, it’s just command not found. I don’t know with which package these commands are coming. It seems that these commands are not installed on my running system. I am running as root, so no problem.

Can I bypass this step and just transfer the new created keys to my air-gapped offline machine and there run the other script to generate the node.cert? Then I will transfer the created node.cert manually using sftp?

Kind regards.

mhh… did you also download the file?

Yes I did download it too and modified the necessary options I am using.

Problem is solved.
I have been mixing commands to run on the air-gapped machine and the production node.
Keys have been rotated correctly.

Thx for your help.

1 Like