Generating Keys for the Block-producing Node

The block-producer node requires you to create 3 keys as defined in the Shelley ledger specs:
  • stake pool cold key (node.cert)
  • stake pool hot key (kes.skey)
  • stake pool VRF key (vrf.skey)
First, make a KES key pair.
block producer node
cardano-cli node key-gen-KES \
--verification-key-file kes.vkey \
--signing-key-file kes.skey
KES (key evolving signature) keys are created to secure your stake pool against hackers who might compromise your keys.
On mainnet, you will need to regenerate the KES key every 90 days.
Cold keys must be generated and stored on your air-gapped offline machine. The cold keys are the files stored in $HOME/cold-keys.
Make a directory to store your cold keys
Air-gapped offline machine
mkdir $HOME/cold-keys
pushd $HOME/cold-keys
Make a set of cold keys and create the cold counter file.
air-gapped offline machine
cardano-cli node key-gen \
--cold-verification-key-file node.vkey \
--cold-signing-key-file $HOME/cold-keys/node.skey \
--operational-certificate-issue-counter node.counter
Be sure to back up your all your keys to another secure storage device. Make multiple copies.
Determine the number of slots per KES period from the genesis file.
block producer node
pushd +1
slotsPerKESPeriod=$(cat $NODE_HOME/shelley-genesis.json | jq -r '.slotsPerKESPeriod')
echo slotsPerKESPeriod: ${slotsPerKESPeriod}
Before continuing, your node must be fully synchronized to the blockchain. Otherwise, you won't calculate the latest KES period. Your node is synchronized when the epoch and slot# is equal to that found on a block explorer such as
block producer node
slotNo=$(cardano-cli query tip --mainnet | jq -r '.slot')
echo slotNo: ${slotNo}
Find the kesPeriod by dividing the slot tip number by the slotsPerKESPeriod.
block producer node
kesPeriod=$((${slotNo} / ${slotsPerKESPeriod}))
echo kesPeriod: ${kesPeriod}
echo startKesPeriod: ${startKesPeriod}
With this calculation, you can generate a operational certificate for your pool.
Copy kes.vkey to your cold environment.
Change the <startKesPeriod> value accordingly.
Your stake pool requires an operational certificate to verify that the pool has the authority to run. For more details on operational certificates, see the topic Issuing a New Operational Certificate.
air-gapped offline machine
cardano-cli node issue-op-cert \
--kes-verification-key-file kes.vkey \
--cold-signing-key-file $HOME/cold-keys/node.skey \
--operational-certificate-issue-counter $HOME/cold-keys/node.counter \
--kes-period <startKesPeriod> \
--out-file node.cert
Copy node.cert to your hot environment.
Make a VRF key pair.
block producer node
cardano-cli node key-gen-VRF \
--verification-key-file vrf.vkey \
--signing-key-file vrf.skey
Update vrf key permissions to read-only. You must also copy vrf.vkey to your cold environment.
chmod 400 vrf.skey
Stop your stake pool by running the following:
block producer node
sudo systemctl stop cardano-node
Update your startup script with the new KES, VRF and Operation Certificate.
block producer node
cat > $NODE_HOME/ << EOF
/usr/local/bin/cardano-node run +RTS -N -A16m -qg -qb -RTS --topology \${TOPOLOGY} --database-path \${DB_PATH} --socket-path \${SOCKET_PATH} --host-addr \${HOSTADDR} --port \${PORT} --config \${CONFIG} --shelley-kes-key \${KES} --shelley-vrf-key \${VRF} --shelley-operational-certificate \${CERT}
To operate a stake pool, you need the KES, VRF key and Operational Certificate. Cold keys generate new operational certificates periodically.
Now start your block producer node.
block producer node
sudo systemctl start cardano-node
# Monitor with gLiveView