Creating keys and operational certificates

About the stake pool operator keys

It is the responsibility of the operator to manage both the hot (online), and cold (offline) keys for the pool. Cold keys must be secure and should not reside on a device that has internet connectivity. It is recommended that you have multiple backups of your cold keys.

The keys that you need as a stake pool operator are:

  • stake pool cold key
  • stake pool hot key (KES key)
  • stake pool VRF key

The KES key, or hot key as mentioned above, is a node operational key that authenticates who you are. You specify the validity of the KES key using the start time and key period parameters and this KES key needs to be updated every 90 days. The VRF key is a signing verification key and is stored within the operational certificate.

Instructions to create and manage stake pool operation keys

Creating an operational certificate and registering a stake pool

Stake pool operators must provide an operational certificate to verify that the pool has the authority to run. The certificate includes the operator’s signature and important information about the pool (addresses, keys, etc.)

Operational certificates represent the link between the operator’s offline key and their operational key. A certificate’s job is to check whether or not an operational key is valid, to prevent malicious interference. The certificate identifies the current operational key, and is signed by the offline key.

Certificates are generated with an issue counter number and included in the header of each block the node generates. Note that with the Vasil hard fork, an operator would need to create an operational certificate using cold.counter +1. This means that the OpCert must be exactly one more than the previously used one.

Certificates include a kes-period (start date), which indicates the time span within which the certificate is valid before you need to create another one.

Certificates are generated on the offline machine using the offline/cold keys, before being copied over to the node to validate the KES keys used to sign the blocks.

Instructions to work with operational certificates

After creating a KES key pair, you can proceed with registering your stake pool with metadata, registering relay nodes on-chain, and generating a stake pool registration certificate. For a step-by-step tutorial, see: