How to rotate KES Key in offline mode ?

[ids4ucmoi]

Hi, To rotate the KES key and Opcert, there are the 04c and 04d scritps. However I have an offline machine which contains my BP node keys. Is it possible to rotate the KES key and Opcert on the offline machine ? If so I do not understand how the scripts can get the "online" required info to do that ? I could run the 01 script on the online machine but with which arguments for a KEY rotation objective ? (there is no payument to do)

Can you help ?

Thanks

[gitmachtl]

hi, yes sure the rotation of the key/opcert can be done on the offline machine. you only need a working cardano-cli binary for that and the machine must be time-synced.

there is no online data needed to do so. this data is only needed if you wanna do an online check against the right opcert-counter number. on an offline machine you can provide this information as an extra parameter with the script call, otherwise it will simply take the file that is already there and increase the counter by one. you can check also via cexplorer for example, look at your blocks and there you will find the latest opcert count number.

its possible to do the check online with the scripts, you can do that on an onlinemachine with script 04e and do the check just via the poolid.

for the new kes key run: ./04c_genKESKeys.sh poolname cli on the machine.

for the opcert renewal run: ./04d_genNodeOpCert.sh <NodePoolName> (Optional: newOpCertCounterValue) on the machine. and the newOpCertCounterValue can be given as a second optional parameter if you're not sure that the current opcert file is your latest one.

if its a very small pool, and you have to rotate the opcert and you did not make a block in the last period, than please generate a new opcert but reuse the same OpCertCounterValue. its only allowed to increase the counter by one after a block was made.

for a check on the local file or the online version, you can use the script ./04e_checkNodeOpCert.sh if you like.

[ids4ucmoi]

Ok. I tried running both scripts on the airgap machine. I first set manually the date and time to the current date and time. However the 04d script creates an opcert with a current KES period of 499 (which is wrong, the current KES period is 742). I'm lost here on what to do to correct this ?

Here is the output of the 04e script on the online BP node:

hugues@cardano-stakepool:~/production$ 04e_checkNodeOpCert.sh myPool.node.opcert current

Version-Info: cli 8.1.1 / node 8.1.1 Scripts-Mode: online Mainnet

Checking OpCertFile myPool.node.opcert for the correct OpCertCounter and KES-Interval:

Current EPOCH: 420

KES-Interval Check: OK, within range

Current KES Period: 742

File KES start Period: 697 File KES expiry Period: 759 File KES expires in: 24 days 22:16:20

OpCertCounter Check - CURRENTLY used: OK, current File Counter matches the onChain one.

Latest OnChain Counter: 0 File Counter is: 0 Next Counter should be: 1

[ids4ucmoi]

Ignore my previous post. Date and time was still incorrect on the airgap, therefore the KES period was wrong. So I 'm gonna bring the two files opver to the BP node and check that it works with 04e now

[gitmachtl]

Sounds good 👍

[ids4ucmoi]

I confirm it is ok now. Last noob question : now that I have extracted (01_workoofline.sh extract...) both KES and opcert files onto the BP node, can I simply rename them to match the previous two files and do a systemctl restart cardano.service ?

[gitmachtl]

Yes sure, the 01_workOffline.sh method is just a simple method to bring over some files. Would also be possible to simply copy them file by file. After its extracted you can rename it how you like of course.

[ids4ucmoi]

Ok, thanks very much for your help ! Ticket solved and closed.

[ids4ucmoi]

Hello,

Still another potential issue.

After running the 04 e script : I get the following : @.***:~/production$ 04e_checkNodeOpCert.sh myPool.node.opcert  current

Version-Info: cli 8.1.1 / node 8.1.1            Scripts-Mode: online            Mainnet

Checking OpCertFile myPool.node.opcert for the correct OpCertCounter and KES-Interval:

Current EPOCH: 420

KES-Interval Check: OK, within range

    Current KES Period: 742 File KES start Period: 742 File KES expiry Period: 804    File KES expires in: 92 days 09:33:12

OpCertCounter Check - CURRENTLY used: FALSE, OnChain Counter NOT equal to File Counter

Latest OnChain Counter: 0        File Counter is: 1

So is this an issue or should I start over and set the counter back to 0 instead of 1 ?

Thanks

[gitmachtl]

Hi, no this is not an issue. Because the node cane only check against a correct new online version once another block was made with that version. Your last used opcert counter on chain was 0, so the new one should be 1. You've generated that with 1. If you run the script 04e with the flag "next" like "coutner for next block" instead of "current" you will get a greenlight.

At the moment, the new opcert counter/cert only exists on your blockproducer harddisc. The chain does not know about it until you've me at least one new block.

[ids4ucmoi]

Indeed with next it is all green. But to be sure I understand how this blockchain works, I have now restarted my BP node with the new Opcert# 1 and the new kes KEY. Is this fine for the BP to mint blocks or will it fail because it expects opcert#0 instead to match what is currently on the blockchain ?

[gitmachtl]

You have made a block in the past right? Can you tell me your Ticker?

If you have made a block in the past with opCertCounter=0, you update it now to opCertCounter=1 together with the KES-Key renewal. So the next block that your BP will make, will be with opCertCounter=1.

[ids4ucmoi]

Ok I understand. Ticker is IDS4U The current opcert counter in adapools is 0 on my last produced block. So I understand my next produced block wil use this new opcert certificate with counter=1 and Adapools will update this info then.

[gitmachtl]

Yes, you've made blocks in the past with counter=0, now you have updated the certificate on your BP. Next blocks will be made with counter=1. All correct. 👍