KES key expired

hello to all, i have a block producer node that i would like to retire. i forgot to rotate the KES so it is expired. i tried to rotate it afterwards but the expiration date remains the previous one. i used this procedure that previously always worked:

Is there a different way to restore an expired KES?

another question …can i retire the node despite the expired KES ?

thanks in advance

Correct me if I’m wrong but isn’t generating pools and retiring pools done on the blockchain? Why do you need a working producer node? (I never retired a pool myself)

Afaik you simply need a node in sync to submit your retirement ceritificate to. For this you wouldn’t require an operating certificate. I’m on thin ice here :wink:


hi hanswurst thanks for your reply.
In fact, that’s what I’d like to know. I don’t need the node to be fully working. more than anything, I need to know if I can retire it without making mistakes and thus losing the pool deposit.

Retiring a pool doesn’t require a functional KES key. I have never done it though so I won’t comment about the process.

However if you want to “restore” your KES keys, or rather generate new ones, here are the steps:

  1. Look in genesis file for ‘KES’
cat etc/mainnet-shelley-genesis.json | grep KES

“slotsPerKESPeriod”: 129600,
“maxKESEvolutions”: 62,

  1. Determine start of KES validity period (ie: which KES evolution period we are in)
cardano-cli query tip --mainnet

“era”: “Alonzo”,
“syncProgress”: “100.00”,
“hash”: “d95707414f280dd0347c9a67d9ab7bfe1636f4f64bdd66ec8fd7809a678c0c7c”,
“epoch”: 330,
“slot”: 57543605,
“block”: 7083270

So last slot was 57543605 which means we are in KES period:

expr 57543605 / 129600


So we are in KES period 444.

Now, on air-gapped machine with copy of cold.key and cold.counter

  1. Create new KES key pair
cardano-cli node key-gen-KES \
--verification-key-file kes.vkey \
--signing-key-file kes.skey

You will use this new kes.vkey in the next step.

  1. Regenerate node certificate
cardano-cli node issue-op-cert \
  --kes-verification-key-file kes.vkey \
  --cold-signing-key-file cold.skey \
  --operational-certificate-issue-counter cold.counter \
  --kes-period 444 \
  --out-file node.cert

Check that you are using the same names for your corresponding files or change as needed.

Note to future users: You need to change the ‘444’ value for --kes-period to the value you calculated in the steps above.

  1. Copy the following files to block producer and restart
  • kes.skey
  • kes.vkey
  • node.cert

And while you are at it, chmod them to 0400 to make them read-only as a good standard practice for important files like these that shouldn’t change during normal operations.

1 Like

7.4d4 thank you!
I will try to generate a new KES key today as described in your procedure. I hope it works!

1 Like

so its possible to retire a pool with expired kes keys?

im trying to do that right now, i’ve spent a week trying to get the kes keys restored but if i can just retire the pool without it that it would amazing! the nodes are all synced just the bp kes keys is expired

1 Like

Since doesn’t say anything about KES keys, it should work.

You need the cold key to sign the deregistration certificate transaction and you need the stake key to collect the returned deposits 1 to 2 epochs later. That’s all.


hi poonasor, did you manage to retire the bp with the expired kes keys?

Hi had this before with changing servers. Is cert counter. U may have to run rotate keys many times in cntools to increment counter. Hope it helps

1 Like

yes I did - the pool was able to retire, its set to retire next epoch, on ada pools is has a retire banner now so i think everything is all good!

1 Like

yes i did it too. same result on adapools.
Thanks to all for the valuable help!