To create an operational certificate for a block-producing node, you need a KES key pair.
KES stands for Key Evolving Signature in this situation. This means that after a certain period the key evolves into a new key and discards it's old version. This is a useful situation since if an attacker compromises the key and gains access to the signing key, they would only be able to use that key to sign blocks but blocks from earlier points would be safe so an attack couldn't rewrite history.
A KES key will only evolve after a certain number of periods and becomes useless afterwards. This means that until the number of periods has passed, the node operator will need to generate a new KES key pair, issue a new operational node certificate with that new key pair and then restart the node with the new certificate.
To find out how long one period is and for how long a key can evolve, you'll need to look into the genesis file. If that file is called mainnet-shelley-genesis.json, you can type
cat mainnet-shelley-genesis.json | grep KES
This example has the key evolve after a period of 129600 slots and it can evolve 62 times before it needs to be renewd.
Before making an operational certificate for the node, you need to figure out the start of thr KES validity period which is just the KES evolution period you're in.
To check the current tip of the blockchain you'll use the following command.