Configure TLS communication from the command line to allow clients (for example Teku, a dApp, or curl) and Web3Signer to communicate securely.
Web3Signer provides multiple options to configure client TLS access:
- Specify one or more authorized clients using a known clients file.
- Allow all clients with trusted CA certificates to connect.
- Allow any client to connect.
This example uses a known clients file to limit access to specified clients.
The Teku tutorial provides step-by-step instructions to configure the Teku client and Web3Signer for TLS communication, including creating the required keystores and truststore.
- Web3Signer's password-protected PKCS #12 keystore.
- File containing the keystore password.
- The client must be configured for TLS.
- Client's PKCS #12 keystore information.
Create the known clients file
Create a file (in this example,
knownClients.txt) that lists one or more clients that are trusted to connect to Web3Signer. The file can contain clients that use trusted CA or self-signed certificates.
The file contents use the format
<common_name> <hex-string> where:
<common_name>is the Common Name used for the client's keystore
<hex-string>is the SHA-256 fingerprint of the client's keystore.
You can use OpenSSL or keytool to display the client's Common Name and fingerprint. For example:
keytool -list -v -keystore <keystore> -storetype PKCS12 -storepass <password>
web3signer --key-store-path=/Users/me/keyFiles/ \
The command line:
- Specifies the location of the signing key configuration files with the
- Specifies the Web3Signer keystore using the
- Specifies the file that contains the password to decrypt the keystore using the
- Specifies the clients that are trusted to connect to Web3Signer using the
--tls-allow-any-client option to allow access to any client, or
--tls-allow-ca-clients to allow access to any client with a trusted CA certificate.
--tls-allow-any-client cannot be used with