hello to all, i have a block producer node that i would like to retire. i forgot to rotate the KES so it is expired. i tried to rotate it afterwards but the expiration date remains the previous one. i used this procedure that previously always worked:
Is there a different way to restore an expired KES?
another question …can i retire the node despite the expired KES ?
thanks in advance
Correct me if I’m wrong but isn’t generating pools and retiring pools done on the blockchain? Why do you need a working producer node? (I never retired a pool myself)
Afaik you simply need a node in sync to submit your retirement ceritificate to. For this you wouldn’t require an operating certificate. I’m on thin ice here 
hi hanswurst thanks for your reply.
In fact, that’s what I’d like to know. I don’t need the node to be fully working. more than anything, I need to know if I can retire it without making mistakes and thus losing the pool deposit.
Retiring a pool doesn’t require a functional KES key. I have never done it though so I won’t comment about the process.
cat etc/mainnet-shelley-genesis.json | grep KES
“slotsPerKESPeriod”: 129600,
“maxKESEvolutions”: 62,
cardano-cli query tip --mainnet
{
“era”: “Alonzo”,
“syncProgress”: “100.00”,
“hash”: “d95707414f280dd0347c9a67d9ab7bfe1636f4f64bdd66ec8fd7809a678c0c7c”,
“epoch”: 330,
“slot”: 57543605,
“block”: 7083270
}
So last slot was 57543605 which means we are in KES period:
expr 57543605 / 129600
444
So we are in KES period 444.
cardano-cli node key-gen-KES \
--verification-key-file kes.vkey \
--signing-key-file kes.skey
You will use this new kes.vkey in the next step.
cardano-cli node issue-op-cert \
--kes-verification-key-file kes.vkey \
--cold-signing-key-file cold.skey \
--operational-certificate-issue-counter cold.counter \
--kes-period 444 \
--out-file node.cert
Check that you are using the same names for your corresponding files or change as needed.
Note to future users: You need to change the ‘444’ value for --kes-period to the value you calculated in the steps above.
And while you are at it, chmod them to 0400 to make them read-only as a good standard practice for important files like these that shouldn’t change during normal operations.
7.4d4 thank you!
I will try to generate a new KES key today as described in your procedure. I hope it works!
so its possible to retire a pool with expired kes keys?
im trying to do that right now, i’ve spent a week trying to get the kes keys restored but if i can just retire the pool without it that it would amazing! the nodes are all synced just the bp kes keys is expired
Since https://www.coincashew.com/coins/overview-ada/guide-how-to-build-a-haskell-stakepool-node/part-iv-administration/retiring-your-stake-pool doesn’t say anything about KES keys, it should work.
You need the cold key to sign the deregistration certificate transaction and you need the stake key to collect the returned deposits 1 to 2 epochs later. That’s all.
hi poonasor, did you manage to retire the bp with the expired kes keys?
Hi had this before with changing servers. Is cert counter. U may have to run rotate keys many times in cntools to increment counter. Hope it helps
yes I did - the pool was able to retire, its set to retire next epoch, on ada pools is has a retire banner now so i think everything is all good!
yes i did it too. same result on adapools.
Thanks to all for the valuable help!