KES keys rotation - Is it necessary to generate new KES keys?

I am confused about KES key rotation now. In past rotations, I have created new KES keys with:

cardano-cli node key-gen-KES \
  --verification-key-file kes.vkey \
  --signing-key-file kes.skey

And then done the rest of the steps in the IOHK reference document to create a new certificate:

This document says: “… the node operator has to generate a new KES key pair, issue a new operational node certificate with that new key pair …”

However, the command sequence in this reference document doesn’t actually list the creation of new KES keys.

Also, other answers seem to skip creating new KES keys. Eg:

So what is the proper sequence to rotate KES keys?

Is the missing ‘key-gen-KES’ command just an oversight in the IOHK document?


Follow the step 18.1 from coincashew guide




So you do need to do:

cardano-cli node key-gen-KES \
  --verification-key-file kes.vkey \
  --signing-key-file kes.skey

Yes, you will generate new KES files + new node.cert

@Alexd1985 I really appreciate how much effort you put in to help others and so fast with your replies. Do you ever sleep?

1 Like

:)) yes, actually I sleep 6-8 hours, now playing with my son :)) busy life

You’re welcome :beers:


When you cycle your node.cert. do I also need to upload the kes.skey to the priv/pool/[id]. folder?