Node's operational certificate and KES period (stake pools)
A block producing node needs a set of various keys:
- Cold key pair: This key pair is called "cold", because ideally, it will be created and stored offline, not on a computer that is connected to the internet, let alone on the computer running the node. This set of keys allows you to generate the new operation certificate for every KES Period.
- KES key pair: Also called "hot" key, is a node operational key that authenticates who you are. You specify the validity of the KES key using the start time and key period parameters and this KES key needs to be updated every 90 days.
- VRF key pair and: Controls your participation in the slot leader selection process.
- Operational node certificate: Represent the link between the operator's offline key and their operational key. A certificate's job is to check whether or not an operational key is valid, to prevent malicious interference. The certificate identifies the current operational key, and is signed by the offline key.
Before we can create an operational certificate for our stake pool, you need to figure out start of the KES validity period. From the genesis file we learn that:
cat mainnet-shelley-genesis.json | grep KES "slotsPerKESPeriod": 129600, "maxKESEvolutions": 62,
So one period lasts 129600 slots. What slot are we currently in?
cardano-cli shelley query tip --mainnet { "blockNo": 36914, "headerHash": "58df595137e71c0fa65edc99add11704b00e5f163475bd804e4bd59c126bfc9b", "slotNo": 8520857 }
Look for SlotNo
value. So in this example we are on slot 8520857 For the current period we have:
expr 8520857 / 129600 > 65
So in this example the KesPeriod is 65.
Then we issue the operational certificate (node.cert) with:
cardano-cli shelley node issue-op-cert \
--kes-verification-key-file kes.vkey \
--cold-signing-key-file cold.skey \
--operational-certificate-issue-counter cold.counter \
--kes-period 65 \
--out-file node.cert
To learn more on this topic, please check Key Evolving Signature and KES period