Skip to main content

Configure TLS

Configure TLS communication from the command line to allow clients (for example Teku, a dApp, or curl) and Web3Signer to communicate securely.

Web3Signer provides multiple options to configure client TLS access:

This example uses a known clients file to limit access to specified clients.


The Teku tutorial provides step-by-step instructions to configure the Teku client and Web3Signer for TLS communication, including creating the required keystores and truststore.


Web3Signer prerequisites:

  • Web3Signer's password-protected PKCS #12 keystore.
  • File containing the keystore password.

Client prerequisites:

  • The client must be configured for TLS.
  • Client's PKCS #12 keystore information.

Create the known clients file

Create a file (in this example, knownClients.txt) that lists one or more clients that are trusted to connect to Web3Signer. The file can contain clients that use trusted CA or self-signed certificates.

The file contents use the format <common_name> <hex-string> where:

  • <common_name> is the Common Name used for the client's keystore
  • <hex-string> is the SHA-256 fingerprint of the client's keystore.
curl_client DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50

You can use OpenSSL or keytool to display the client's Common Name and fingerprint. For example:

keytool -list -v -keystore <keystore> -storetype PKCS12 -storepass <password>

Start Web3Signer

web3signer --key-store-path=/Users/me/keyFiles/ \
--tls-keystore-file=/Users/me/certs/web3signerKeystore.p12 \
--tls-keystore-password-file=/Users/me/certs/password.txt \

The command line:


Use the --tls-allow-any-client option to allow access to any client, or --tls-allow-ca-clients to allow access to any client with a trusted CA certificate.

--tls-allow-any-client cannot be used with tls-known-clients-file or --tls-allow-ca-clients.