7.4d4
22 January 2022 08:02
1
I am confused about KES key rotation now. In past rotations, I have created new KES keys with:
cardano-cli node key-gen-KES \
--verification-key-file kes.vkey \
--signing-key-file kes.skey
And then done the rest of the steps in the IOHK reference document to create a new certificate:
# Key Evolving Signature and KES period
To create an operational certificate for a block-producing node, you need a _KES key pair_.
Here "KES" stands for _**K**ey **E**volving **S**ignature_, which means that after a certain _period_, the key will _evolve_ to a new key
and discard its old version. This is useful, because it means that even if an attacker compromises the key and gets access to the signing key,
he can only use that to sign blocks _from now on_, but not blocks dating from _earlier periods_, making it impossible for the attacker to rewrite history.
A KES key can only evolve for a certain number of periods and becomes useless afterwards.
This means that before that number of periods has passed, the node operator has to generate a new KES key pair, issue a new operational node certificate with that new key pair and restart the node with the new certificate.
To find out how long one period is and for how long a key can evolve, we can look into the _genesis file_. If that file is called `mainnet-shelley-genesis.json`,
we can type
cat mainnet-shelley-genesis.json | grep KES
"slotsPerKESPeriod": 129600,
"maxKESEvolutions": 62,
in this example, the key will evolve after each period of 129600 slots and that it can evolve 62 times before it needs to be renewed.
show original
This document says: “… the node operator has to generate a new KES key pair, issue a new operational node certificate with that new key pair …”
However, the command sequence in this reference document doesn’t actually list the creation of new KES keys.
Also, other answers seem to skip creating new KES keys. Eg:
stake-pool
So what is the proper sequence to rotate KES keys?
Is the missing ‘key-gen-KES’ command just an oversight in the IOHK document?
Hi,
Follow the step 18.1 from coincashew guide
Cheers,
3 Likes
7.4d4
22 January 2022 08:30
3
Thanks.
So you do need to do:
cardano-cli node key-gen-KES \
--verification-key-file kes.vkey \
--signing-key-file kes.skey
Yes, you will generate new KES files + new node.cert
7.4d4
22 January 2022 08:33
5
@Alexd1985 I really appreciate how much effort you put in to help others and so fast with your replies. Do you ever sleep?
3 Likes
:)) yes, actually I sleep 6-8 hours, now playing with my son :)) busy life
You’re welcome
6 Likes
When you cycle your node.cert. do I also need to upload the kes.skey to the priv/pool/[id]. folder?
I think not can’t tell u for sure… but what u need to check is the next cerificate incremental number inside node.counter / cold.counter… should be higher than the last one used
Cheers,
