Skip to main content

Configure TLS

You can configure TLS for communication between Teku and an external signer, for example Web3Signer.

info

The Teku and Web3Signer TLS configuration tutorial provides instructions to create the required keystores and configuration.

Prerequisites

Web3Signer prerequisites:

Teku prerequisites:

Start Web3Signer

Start Web3Signer with the TLS configuration options and specify the keystore and known clients file.

web3signer \
--key-store-path=/Users/me/keyFiles/ \
--tls-keystore-file=/Users/me/certs/web3signer_keystore.p12 \
--tls-keystore-password-file=/Users/me/certs/web3signer_keystore_password.txt \
--tls-known-clients-file=/Users/me/certs/knownClients.txt \
eth2
note

Slashing protection is enabled by default when using the eth2 Web3Signer subcommand. If using Web3Signer slashing protection, ensure you configure your slashing protection database.

Start Teku

Start Teku with the external signer, keystore, and truststore details. For example:

teku \
--network=holesky \
--eth1-endpoint=http://localhost:8545 \
--validators-external-signer-public-keys=0xa99a...e44c,0xb89b...4a0b \
--validators-external-signer-url=https://localhost:9000 \
--validators-external-signer-truststore=/Users/me/certs/web3signer_truststore.p12 \
--validators-external-signer-truststore-password-file=/Users/me/certs/truststore_pass.txt \
--validators-external-signer-keystore=/Users/me/certs/teku_client_keystore.p12 \
--validators-external-signer-keystore-password-file=/Users/me/certs/teku_keystore_password.txt

In the command: