Configure TLS communication from the command line to allow clients (for example Teku, a dApp, or curl) and Web3Signer to communicate securely.
Web3Signer provides multiple options to configure client TLS access:
- Specify one or more authorized clients using a known clients file.
- Allow all clients with trusted CA certificates to connect.
- Allow any client to connect.
This example uses a known clients file to limit access to specified clients.
The Teku tutorial provides step-by-step instructions to configure the Teku client and Web3Signer for TLS communication, including creating the required keystores and truststore.
- Web3Signer’s password-protected PKCS #12 keystore.
- File containing the keystore password.
- The client must be configured for TLS.
- Client’s PKCS #12 keystore information.
Create the known clients file
Create a file (in this example,
knownClients.txt) that lists one or more clients
that are trusted to connect to Web3Signer. The file can contain clients that use trusted CA
or self-signed certificates.
The file contents use the format
<common_name> <hex-string> where:
<common_name>is the Common Name used for the client’s keystore
<hex-string>is the SHA-256 fingerprint of the client’s keystore.
keytool -list -v -keystore <keystore> -storetype PKCS12 -storepass <password>
web3signer --key-store-path=/Users/me/keyFiles/ \ --tls-keystore-file=/Users/me/certs/web3signerKeystore.p12 \ --tls-keystore-password-file=/Users/me/certs/password.txt \ --tls-known-clients-file=/Users/me/certs/knownClients.txt
The command line:
- Specifies the location of the signing key configuration files
- Specifies the Web3Signer keystore using the
- Specifies the file that contains the password to decrypt the keystore using the
- Specifies the clients that are trusted to connect to Web3Signer