I just rotated my KES keys and encountered some strange behavior.
Before doing anything I checked the counter values with cardano-cli query kes-period-info and got the following results:
{
...
"qKesNodeStateOperationalCertificateNumber": 3,
"qKesOnDiskOperationalCertificateNumber": 3,
...
}
Then I used the same counter file as last time to generate a new operational certificate. The counter file showed Next certificate issue number: 4 before and Next certificate issue number: 5 after the generation. That seems correct to me.
After copying the certificate to the block-producer I checked the counter values again and now got the following results:
✓ Operational certificate's KES period is within the correct KES period interval
✗ The operational certificate counter too far ahead of the node protocol state counter in the operational certificate at: node.cert
On disk operational certificate counter: 4
Protocol state counter: 2
{
...
"qKesNodeStateOperationalCertificateNumber": 2,
"qKesOnDiskOperationalCertificateNumber": 4,
...
}
I don’t understand why qKesNodeStateOperationalCertificateNumber decreased to 2 now. Should I generate a new certificate with a lower counter now or is this some kind of bug?