Generate Pool Keys
Dingo - Block Production Keys
Section titled “Dingo - Block Production Keys”We will now generate the Pool Keys needed for Block Production on the Preview Network.
| Key | Purpose | Where it lives |
|---|---|---|
| Cold key (cold.skey / cold.vkey) | Authorizes pool registration and KES rotation | Air-gapped machine only — never transferred |
| KES key (kes.skey / kes.vkey) | Signs blocks; rotated every ~90 days | kes.skey - Block producer |
| VRF key (vrf.skey / vrf.vkey) | Proves slot leadership | vrf.skey - Block producer |
| Operational certificate (node.cert) | Binds KES key to cold key for the node | Block producer |
For background on what these keys do, see Cardano Key Pairs.
⚠️ The following guide assumes you have already completed the following 3 steps. If not please do them first and return here when you are done.
- 1. Complete the Quick Start guide.
- 2. Create Start Up Service
- 3. Install Cardano CLI
✅ This guide assumes your files are in the $HOME/dingo folder. Adjust paths below if necessary.
Step 1 - Generate KES key pair
Section titled “Step 1 - Generate KES key pair”cd ~/dingocardano-cli conway node key-gen-KES \--verification-key-file kes.vkey \--signing-key-file kes.skeyStep 2 - Make a directory to store your cold keys
Section titled “Step 2 - Make a directory to store your cold keys”⚠️ On Air Gapped
mkdir $HOME/dingo/cold-keyspushd $HOME/dingo/cold-keysStep 3 - Generate set of cold keys and create the cold counter file
Section titled “Step 3 - Generate set of cold keys and create the cold counter file”⚠️ On Air Gapped
cardano-cli conway node key-gen \--cold-verification-key-file node.vkey \--cold-signing-key-file node.skey \--operational-certificate-issue-counter node.counterStep 4 - Find the starting KES period
Section titled “Step 4 - Find the starting KES period”We need the Shelley Genesis json file to run our CLI command
So we will create a directory to store our Cardano configuration files. For this example, the file structure we will create is /config/cardano/preview/ by running the following command in our dingo directory:
cd ~/dingomkdir -p config/cardano/previewNow we will navigate to the config/cardano/preview folder and download the Cardano Shelley Genesis file.
cd config/cardano/previewTo download the Shelley Genesis file run:
wget https://book.play.dev.cardano.org/environments/preview/shelley-genesis.json💡 Tip: Cardano Configuration Files can be found at https://book.play.dev.cardano.org/environments.html
Now we can find the starting KES period by running:
slotNo=$(cardano-cli conway query tip --testnet-magic 2 | jq -r '.slot')slotsPerKESPeriod=$(cat $HOME/dingo/config/cardano/preview/shelley-genesis.json | jq -r '.slotsPerKESPeriod')kesPeriod=$((${slotNo} / ${slotsPerKESPeriod}))startKesPeriod=${kesPeriod}echo startKesPeriod: ${startKesPeriod}📝 WRITE DOWN THIS NUMBER
Step 5 - Generate operational certificate for your pool
Section titled “Step 5 - Generate operational certificate for your pool”✅ Change the
⚠️ On Air Gapped once you have copied kes.vkey to your cold environment.
cd ~/dingocardano-cli conway node issue-op-cert \--kes-verification-key-file kes.vkey \--cold-signing-key-file $HOME/dingo/cold-keys/node.skey \--operational-certificate-issue-counter $HOME/dingo/cold-keys/node.counter \--kes-period <startKesPeriod> \--out-file node.certStep 6 - Copy node.cert to your hot environment
Section titled “Step 6 - Copy node.cert to your hot environment”Copy your node.cert file to your Block Producer.
Step 7 - Generate a VRF key pair
Section titled “Step 7 - Generate a VRF key pair”cd ~/dingocardano-cli conway node key-gen-VRF \--verification-key-file vrf.vkey \--signing-key-file vrf.skeyStep 8 - Update vrf key permissions to read-only. You must also copy vrf.vkey to your cold environment.
Section titled “Step 8 - Update vrf key permissions to read-only. You must also copy vrf.vkey to your cold environment.”chmod 400 vrf.skeyReminder
Section titled “Reminder”Block-producing Node The only stake pool keys and certs that should be on the block producer, are the following three files.
###### On block producer node###KES = kes.skeyVRF = vrf.skeyCERT = node.certAll other keys must remain offline in your air-gapped offline cold environment.
Relay Nodes Relay nodes must NOT store any operational certificates, vrf, skey or cold keys.