Generate your stake pool keys

WARNING:

Basic core node firewall configuration:

  • Make sure you can only login with SSH Keys, not password.
  • Make sure you cannot login as root
  • Make sure to setup SSH connections in a port different than the default 22
  • Make sure to configure the firewall to only allow connections from your relay nodes by setting up their ip addresses.

Basic relay node firewall configuration:

  • Make sure you can only login with SSH Keys, not password.
  • Make sure you cannot login as root
  • Make sure to setup SSH connections in a port different than the default 22.
  • Make sure you only have the strictly necessary ports opened.
​See Firewall Additional Material

Creating stake pool keys

WARNING: For Mainnet, you may want to use your local machine for this process. Make sure you are not online until you have put your cold keys in a secure storage and deleted the files from your local machine.
The core node needs:
  • Cold Key pair,
  • VRF Key pair,
  • KES Key pair,
  • Operational Certificate
Create a directory to store your keys:
mkdir pool-keys
cd pool-keys

Generate Cold Keys and a Cold_counter:

cardano-cli node key-gen \
--cold-verification-key-file cold.vkey \
--cold-signing-key-file cold.skey \
--operational-certificate-issue-counter-file cold.counter

Generate VRF Key pair

cardano-cli node key-gen-VRF \
--verification-key-file vrf.vkey \
--signing-key-file vrf.skey

Generate the KES Key pair

cardano-cli node key-gen-KES \
--verification-key-file kes.vkey \
--signing-key-file kes.skey

Generate the Operational Certificate

We need to know the slots per KES period, we get it from the genesis file:
cat testnet-shelley-genesis.json | grep KESPeriod
> "slotsPerKESPeriod": 3600,
So one period lasts 3600 slots.
Then we need the current tip of the blockchain:
We can use your relay node to query the tip:
cardano-cli query tip --testnet-magic 1097911063
​
{
"blockNo": 27470,
"headerHash": "bd954e753c1131a6cb7ab3a737ca7f78e2477bea93db54511cedefe8899ebed0",
"slotNo": 656260
}
Look for Tip unSlotNo value. In this example we are on slot 656260. So we have KES period is 182:
expr 656260 / 3600
> 182
NOTE: slotNo and Kes-period will be different when you run this commands. So make sure to calculate them yourself.
To generate the certificate:
cardano-cli node issue-op-cert \
--kes-verification-key-file kes.vkey \
--cold-signing-key-file cold.skey \
--operational-certificate-issue-counter cold.counter \
--kes-period 182 \
--out-file node.cert

Move the cold keys to secure storage

The best place for your cold keys is a SECURE USB or other SECURE EXTERNAL DEVICE, not a computer with internet access.

Copy the cold keys from your server to your local machine and from there to COLD storage.

For example:
scp -i " file.pem" [email protected]:~/poolkeys/cold* /local/directory
​
> Transferred: sent 3220, received 6012 bytes, in 1.2 seconds
Bytes per second: sent 2606.6, received 4866.8
debug1: Exit status 0
Later on we will learn how to register our pool in the blockchain.
QUESTIONS AND FEEDBACK
If you have any questions and suggestions while taking the lessons please feel free to ask in the forum and we will respond as soon as possible.
Copy link
On this page
Creating stake pool keys
Generate Cold Keys and a Cold_counter:
Generate VRF Key pair
Generate the KES Key pair
Generate the Operational Certificate
Move the cold keys to secure storage
Copy the cold keys from your server to your local machine and from there to COLD storage.