How to rotate pool keys

You have to rotate your pool keys every 90 days on the cardano mainnet. Following steps have to be done at your offline environment:

Create a new pair of kes keys (kes.skey, kes.vkey):

cardano-cli node key-gen-KES

--verification-key-file kes.vkey

--signing-key-file kes.skey

Find the current value of startKesPeriod:

slotsPerKESPeriod=$(cat $NODE_HOME/mainnet-shelley-genesis.json | jq -r '.slotsPerKESPeriod')

slotNo=$(cardano-cli query tip --mainnet | jq -r '.slot')

startKesPeriod=$((${slotNo} / ${slotsPerKESPeriod}))

Generate a new node certification file:

cardano-cli node issue-op-cert

--kes-verification-key-file kes.vkey

--cold-signing-key-file node.skey

--operational-certificate-issue-counter node.counter

--kes-period  ${startKesPeriod}

--out-file node.cert

Copy the new gererated node certification (node.cert) and KES signing key (kes.skey) over to your producer node and restart cardano-node service:

sudo systemctl restart cardano_node.service