A block producing node needs a set of various keys:
- Cold key pair: This key pair is called "cold", because ideally, it will be created and stored offline, not on a computer that is connected to the internet, let alone on the computer running the node. This set of keys allows you to generate the new operation certificate for every KES Period.
- KES key pair: Also called "hot" key, is a node operational key that authenticates who you are. You specify the validity of the KES key using the start time and key period parameters and this KES key needs to be updated every 90 days.
- VRF key pair and: Controls your participation in the slot leader selection process.
- Operational node certificate: Represent the link between the operator's offline key and their operational key. A certificate's job is to check whether or not an operational key is valid, to prevent malicious interference. The certificate identifies the current operational key, and is signed by the offline key.
Before we can create an operational certificate for our stake pool, you need to figure out start of the KES validity period. From the genesis file we learn that:
cat mainnet-shelley-genesis.json | grep KESPeriod
Then, query the tip of the blockchain, for example:
cardano-cli shelley query tip --mainnet
Look for slot number, then divide:
expr 700334 / 129600
Therefore, in the example KESPeriod = 5
Then we issue the operational certificate (node.cert) with:
cardano-cli shelley node issue-op-cert \
--kes-verification-key-file kes.vkey \
--cold-signing-key-file cold.skey \
--operational-certificate-issue-counter cold.counter \
--kes-period 5 \
To learn more on this topic, please check Key Evolving Signature and KES period