CoinCashew
Spanish
Spanish
  • Home
  • About Us
  • Donations
  • Contributing
    • Contributor Covenant Code of Conduct
    • Style Guide
  • Disclaimer
  • Wallets
    • Guide: Crypto Wallet Tips 101 - Do's and Don'ts
      • Review: Metal Bitcoin Seed Storage by jlopp
  • Coins
    • Ethereum: ETH
      • 🛡️EthPillar: one-liner setup tool and node management TUI
      • 🥩Guide | How to setup a validator for Ethereum staking on mainnet
        • Overview - Manual Installation
        • PART I - INSTALLATION
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Installing execution client
            • Nethermind
            • Besu
            • Geth
            • Erigon
            • Reth
          • Step 4: Installing consensus client
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Step 5: Installing Validator
            • Setting up Validator Keys
            • Installing Validator
              • Lighthouse
              • Lodestar
              • Teku
              • Nimbus
              • Prysm
            • Next Steps
          • Monitoring your validator with Grafana and Prometheus
          • Mobile App Node Monitoring by beaconcha.in
          • Monitoring with Uptime Check by Google Cloud
        • PART II - MAINTENANCE
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
          • Finding the longest attestation slot gap
          • Checking my eth validator's sync committee duties
          • Checklist | Confirming a healthy functional ETH staking node
        • PART III - TIPS
          • Voluntary Exiting a Validator
          • Verifying Your Mnemonic Phrase
          • Adding a New Validator to an Existing Setup with Existing Seed Words
          • Switching / Migrating Consensus Client
          • 🛡️Switching / Migrating Execution Client
          • ⚡Using Node as RPC URL endpoint
          • Using All Available LVM Disk Space
          • Reducing Network Bandwidth Usage
          • How to re-sync using checkpoint sync
          • Important Directory Locations
          • Improving Validator Attestation Effectiveness
          • EIP2333 Key Generator by iancoleman.io
          • 😁Geth - Enabling path-based state storage
          • Disk Usage by Execution / Consensus Client
          • Dealing with Storage Issues on the Execution Client
        • Join the Community
        • Credits
        • See Also
        • Changelog
      • ⛓️Guide | How to setup a validator for Ethereum staking on testnet HOLESKY
        • Overview - Manual Installation
        • Step 1: Prerequisites
        • Step 2: Configuring Node
        • Step 3: Installing execution client
          • Nethermind
          • Besu
          • Geth
          • Erigon
          • Reth
        • Step 4: Installing consensus client
          • Lighthouse
          • Lodestar
          • Teku
          • Nimbus
          • Prysm
        • Step 5: Installing Validator
          • Setting up Validator Keys
          • Installing Validator
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Next Steps
        • Maintenance
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
      • 💰Guide | MEV-boost for Ethereum Staking
        • MEV Relay List
      • 🔎Guide | Recover Ethereum Validator Mnemonic Seed
      • 🦉Update Withdrawal Keys for Ethereum Validator (BLS to Execution Change or 0x00 to 0x01) with ETHDO
      • 📜Archived Guides
        • Guide Version 1 | How to setup a validator for Ethereum staking on MAINNET
          • PART I - INSTALLATION
            • Step 1: Prerequisites
            • Step 2: Configuring Node
            • Step 3: Setting up Validator Keys
            • Step 4: Installing execution client
            • Step 5: Installing consensus client
            • Monitoring your validator with Grafana and Prometheus
            • Mobile App Node Monitoring by beaconcha.in
            • Security Best Practices for your ETH staking validator node
            • Synchronizing time with Chrony
            • Monitoring with Uptime Check by Google Cloud
          • PART II - MAINTENANCE
            • Updating your consensus client
            • Updating your execution client
            • Uninstalling V1 Staking Node
            • Finding the longest attestation slot gap
            • Checking my eth validator's sync committee duties
            • Pruning the execution client to free up disk space
            • Checklist | Confirming a healthy functional ETH staking node
          • PART III - TIPS
            • 🛡️Switching / Migrating Execution Client
            • Voluntary Exiting a Validator
            • Verifying Your Mnemonic Phrase
            • Adding a New Validator to an Existing Setup with Existing Seed Words
            • Switching / Migrating Consensus Client
            • Using All Available LVM Disk Space
            • Reducing Network Bandwidth Usage
            • How to re-sync using checkpoint sync
            • Important Directory Locations
            • Hosting Execution client on a Different Machine
            • Adding or Changing Graffiti flag
            • Improving Validator Attestation Effectiveness
            • EIP2333 Key Generator by iancoleman.io
            • Disk Usage by Execution / Consensus Client
            • Dealing with Storage Issues on the Execution Client
          • Join the Community
          • Credits
          • See Also
          • Changelog
        • Guide Version 1 | How to setup a validator for Ethereum staking on testnet GOERLI
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Setting up Validator Keys
          • Step 4: Installing execution client
          • Step 5: Installing consensus client
        • Guide Version 2 | How to setup a validator for Ethereum staking on testnet GOERLI
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Installing execution client
            • Nethermind
            • Besu
            • Geth
            • Erigon
          • Step 4: Installing consensus client
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Step 5: Installing Validator
            • Setting up Validator Keys
            • Installing Validator
              • Lighthouse
              • Lodestar
              • Teku
              • Nimbus
              • Prysm
            • Next Steps
          • Maintenance
            • Updating Execution Client
            • Updating Consensus Client
            • Backups Checklist: Critical Staking Node Data
            • Uninstalling Staking Node
        • Guide | Ethereum Staking on Zhejiang Testnet
        • Guide | Besu + Lodestar | Most Viable Diverse Client | Staking Ethereum on Kiln testnet
        • Guide | How to setup a validator for Ethereum staking on Pithos testnet in 10 minutes or less
        • Ethereum Merge Upgrade Checklist for Home Stakers and Validators
        • Guide | Operation Client Diversity: Migrate Prysm to Teku
      • Guide: How to buy ETH
    • Cardano: ADA
      • Guide: How to Set Up a Cardano Stake Pool
        • PART I - INSTALLATION
          • Prerequisites
          • Hardening an Ubuntu Server
          • Setting Up chrony
          • Installing the Glasgow Haskell Compiler and Cabal
          • Compiling Cardano Node
        • PART II - CONFIGURATION
          • Downloading Configuration Files
          • Configuring Legacy Stake Pool Topology
          • Configuring an Air-gapped, Offline Computer
          • Creating Startup Scripts and Services
        • PART III - OPERATION
          • Starting the Nodes
          • Accessing Built-in Help
          • Generating Keys for the Block-producing Node
          • Setting Up Payment and Stake Keys
          • Registering Your Stake Address
          • Registering Your Stake Pool
          • Verifying Stake Pool Operation
          • Configuring Legacy Network Topology
          • Setting Up Dashboards
          • Configuring Slot Leader Calculations
          • Securing Your Stake Pool Using a Hardware Wallet
        • PART IV - ADMINISTRATION & MAINTENANCE
          • Checking Stake Pool Rewards
          • Claiming Stake Pool Rewards
          • Delegating to a Stake Pool
          • Issuing a New Operational Certificate
          • Updating Stake Pool Information
          • Upgrading a Node
          • Retiring Your Stake Pool
          • Auditing Your nodes configuration
          • KES Key Rotation / Operational Certificate Companion Script
        • PART V - TIPS
          • Submitting a Simple Transaction
          • Transferring Files Using SSH
          • Updating Configuration Files
          • Enabling Peer-to-peer Network Topology
          • Uploading Pool Metadata to GitHub Pages
          • Obtaining a PoolTool API Key
          • Configuring Glasgow Haskell Compiler Runtime System Options
          • Reducing Missed Slot Leader Checks and Improving Cardano Node Performance
          • Increasing Swap File Size
          • Setting Up an External Passive Relay Node
          • Setting Up WireGuard
          • Monitoring Node Security Using OSSEC Server and Slack
          • Resetting an Installation
          • Fixing a Corrupt Blockchain
          • Verifying an ITN Stake Pool
          • Fixing the Mnemonic Staking Balance Bug
        • Appendix A - Best Practices Checklist
        • Appendix B - Cardano Resource Index
        • Telegram Chat Channel
        • See Also
        • Credits
      • Guide: How to buy ADA
      • Guide: How to stake ADA
    • Monero: XMR
      • Guide | How to run your own Monero node
      • Guide: How to mine Monero
      • Create a XMR paper wallet
      • External Reading Material
        • Movie: Monero Means Money
        • Guide: Zero to Monero
        • Book: Mastering Monero
Powered by GitBook
On this page
  • Determining the Counter Value
  • Minting Your First Block
  • Setting the Counter Value
  • Issuing a New Operational Certificate
Edit on GitHub
  1. Coins
  2. Cardano: ADA
  3. Guide: How to Set Up a Cardano Stake Pool
  4. PART IV - ADMINISTRATION & MAINTENANCE

Issuing a New Operational Certificate

Your stake pool requires a valid operational certificate to verify that the pool has the authority to run.

A current KES key pair is required to establish an operational certificate for your stake pool. A KES period indicates the time span when an operational certificate is valid. An operational certificate expires 90 days after the KES period defined in the operational certificate. You must generate a new KES key pair and operational certificate every 90 days, or sooner, for your stake pool to mint blocks.

The private KES key is required to start the block producing node for your stake pool. The public KES key is not sensitive.

Issuing an operational certificate also uses a counter that increments by exactly one (1) for each unique operational certificate that a stake pool uses to mint blocks. In a valid operational certificate, the counter value that you use to issue the operational certificate must be consistent with the current counter value for your stake pool registered on the Cardano blockchain by the protocol.

A Companion Script that can help you with rotating KES keys and issuing a new Operational Certificate is available [here](kes-rotate-companion-script.md)

Determining the Counter Value

To retrieve the current counter value for your stake pool registered by the blockchain protocol:

  • In a terminal window on your block producer node, type:

cd $NODE_HOME
cardano-cli query kes-period-info \
    --${NODE_CONFIG} \
    --op-cert-file node.cert

The cardano-cli query kes-period-info command returns output similar to:

✓ Operational certificate's KES period is within the correct KES period interval
✓ The operational certificate counter agrees with the node protocol state counter
{
    "qKesCurrentKesPeriod": 15,
    "qKesEndKesInterval": 18,
    "qKesKesKeyExpiry": null,
    "qKesMaxKESEvolutions": 6,
    "qKesNodeStateOperationalCertificateNumber": 3,
    "qKesOnDiskOperationalCertificateNumber": 3,
    "qKesRemainingSlotsInKesPeriod": 690,
    "qKesSlotsPerKesPeriod": 300,
    "qKesStartKesInterval": 12
}

The value of the qKesNodeStateOperationalCertificateNumber key indicates the current counter value for your stake pool registered by the blockchain protocol. The value of the qKesOnDiskOperationalCertificateNumber key indicates the counter value of the current operational certificate that your stake pool uses.

For a new operational certificate, the counter value must be exactly one (1) greater than the current value of the qKesNodeStateOperationalCertificateNumber key.

If qKesOnDiskOperationalCertificateNumber is more than one (1) greater than qKesNodeStateOperationalCertificateNumber then the operational certificate is invalid. Your stake pool cannot mint blocks using an invalid operational certificate.

Minting Your First Block

When your stake pool has minted zero (0) blocks, then no value for qKesNodeStateOperationalCertificateNumber is registered by the blockchain protocol. Therefore, retrieving the current counter value for your stake pool returns the value null for the qKesNodeStateOperationalCertificateNumber key.

After a stake pool mints a block for the first time, then retrieving the current counter value returns the value zero (0) for the qKesNodeStateOperationalCertificateNumber key.

Therefore, when your stake pool has minted zero (0) blocks, then you MUST set the value zero (0) for the qKesOnDiskOperationalCertificateNumber key so that your stake pool creates a block successfully when elected to mint a block for the first time.

Setting the Counter Value

When you issue a new operational certificate, a node.counter file sets the counter value for the new certificate.

When you run the cardano-cli query kes-period-info command on your block producer node, if the value of the qKesOnDiskOperationalCertificateNumber key equals the value of the qKesNodeStateOperationalCertificateNumber key, then your stake pool minted at least one block using the current operational certificate and you do not need to set the counter value manually.

If the value of the qKesOnDiskOperationalCertificateNumber key is greater than the value of the qKesNodeStateOperationalCertificateNumber key, then prior to issuing a new operational certificate you need to set the counter value using the following procedure.

To set the counter value for issuing a new operational certificate:

  1. To create a new node.counter file having the required counter value, type the following command in a terminal window on your air-gapped, offline computer where <NodeCertificateNumber> is the current value of the qKesNodeStateOperationalCertificateNumber key for your stake pool:

cd $HOME/cold-keys
cardano-cli node new-counter \
    --cold-verification-key-file $HOME/cold-keys/node.vkey \
    --counter-value $(( <NodeCertificateNumber> + 1 )) \
    --operational-certificate-issue-counter-file node.counter

If the current value of the qKesNodeStateOperationalCertificateNumber key for your stake pool is null, then set the --counter-value option to zero (0)

  1. To display the contents of the node.counter file that you created in step 1, type:

cat $HOME/cold-keys/node.counter

When you generate a new node.counter file, the value of the description key is empty until you issue a new operational certificate.

Issuing a New Operational Certificate

To issue a new operational certificate:

  1. In a terminal window on your block producer node, type the following commands to generate a new KES key pair:

cd $NODE_HOME
cardano-cli node key-gen-KES \
    --verification-key-file kes.vkey \
    --signing-key-file kes.skey

  1. Copy the kes.vkey file that you generated in step 1 to your air-gapped, offline computer.

  2. To issue a new operational certificate, you must set a starting KES period. To calculate the starting KES period for your new operational certificate, type the following commands in a terminal window on your block producer node:

cd $NODE_HOME
# Query the current slot height of the blockchain, and then
# retrieve the value of the slot key in the results
slotNo=$(cardano-cli query tip --mainnet | jq -r '.slot')
# Retrieve the number of slots per KES period from the key named slotsPerKESPeriod 
# in the Shelley Genesis JSON configuration file that your stake pool uses
slotsPerKESPeriod=$(cat $NODE_HOME/shelley-genesis.json | jq -r '.slotsPerKESPeriod')
# To calculate the current KES period, divide the current slot height by
# the number of slots per KES period
kesPeriod=$((${slotNo} / ${slotsPerKESPeriod}))
StartingKESPeriod=${kesPeriod}
echo StartingKESPEriod: ${StartingKESPeriod}

  1. To issue a new operational certificate, type the following command in a terminal window on your air-gapped, offline computer where <KESvkeyFile> is the path to the kes.vkey file that you copied in step 2 and <StartingKESPeriod> is the starting KES period that you calculated in step 3:

cd $NODE_HOME
chmod u+rwx $HOME/cold-keys
cardano-cli node issue-op-cert \
    --kes-verification-key-file <KESvkeyFile> \
    --cold-signing-key-file $HOME/cold-keys/node.skey \
    --operational-certificate-issue-counter $HOME/cold-keys/node.counter \
    --kes-period <StartingKESPeriod> \
    --out-file node.cert
chmod a-rwx $HOME/cold-keys

Issuing a new operational certificate increments the value of the node.counter file by one (1) To display the contents of the node.counter file, type cat $HOME/cold-keys/node.counter

  1. Copy the node.cert file that you created in step 4 to replace the current node.cert file on your block producer node.

  2. To restart your block producer node, type:

sudo systemctl restart cardano-node

  1. To verify the operational certificate that you issued in step 4, wait until your block producer node starts, and then type:

cd $NODE_HOME
cardano-cli query kes-period-info \
    --${NODE_CONFIG} \
    --op-cert-file node.cert

In the results of the cardano-cli query kes-period-info command, prior to your stake pool minting a block using the operational certificate that you issued in step 4, in a valid operational certificate the value of the qKesOnDiskOperationalCertificateNumber key is greater than the value of the qKesNodeStateOperationalCertificateNumber key by exactly one (1) The first time your stake pool mints a block using the operational certificate that you issued in step 4, the value of the qKesNodeStateOperationalCertificateNumber increments by one (1) to equal the value of the qKesOnDiskOperationalCertificateNumber key.

  1. In a secure location, create backup copies of the KES key files that you generated in step 1; the current node.counter file for your stake pool; and, the node.cert file that you generated in step 4

PreviousDelegating to a Stake PoolNextUpdating Stake Pool Information

If you follow the Coin Cashew instructions, then you created a node.counter file when

If you want to support this free educational Cardano content or found the content helpful, visit to find our donation addresses. Much appreciated in advance.

Technical writing by

Generating Keys for the Block-producing Node
🙏
cointr.ee
📒
Change Pool (ticker CHG)