Skip to content
You are reading Web3Signer development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Configure TLS

Configure TLS communication from the command line to allow clients (for example Teku, a dApp, or curl) and Web3Signer to communicate securely.

Web3Signer provides multiple options to configure client TLS access:

This example uses a known clients file to limit access to specified clients.


The Teku tutorial provides step-by-step instructions to configure the Teku client and Web3Signer for TLS communication, including creating the required keystores and truststore.


Web3Signer prerequisites:

  • Web3Signer’s password-protected PKCS #12 keystore.
  • File containing the keystore password.

Client prerequisites:

  • The client must be configured for TLS.
  • Client’s PKCS #12 keystore information.

Create the known clients file

Create a file (in this example, knownClients.txt) that lists one or more clients that are trusted to connect to Web3Signer. The file can contain clients that use trusted CA or self-signed certificates.

The file contents use the format <common_name> <hex-string> where:

  • <common_name> is the Common Name used for the client’s keystore
  • <hex-string> is the SHA-256 fingerprint of the client’s keystore.


curl_client DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50

You can use OpenSSL or keytool to display the client’s Common Name and fingerprint. For example:


keytool -list -v -keystore <keystore> -storetype PKCS12 -storepass <password>

Start Web3Signer

web3signer --key-store-path=/Users/me/keyFiles/ \
--tls-keystore-file=/Users/me/certs/web3signerKeystore.p12 \
--tls-keystore-password-file=/Users/me/certs/password.txt \

The command line:


Use the --tls-allow-any-client option to allow access to any client, or --tls-allow-ca-clients to allow access to any client with a trusted CA certificate.

--tls-allow-any-client cannot be used with tls-known-clients-file or --tls-allow-ca-clients.

Questions or feedback? You can discuss issues and obtain free support on Web3Signer Discord channel.
For paid professional support by Consensys, contact us at [email protected]