Skip to content
You are reading EthSigner development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Configure TLS

Configure TLS communication from the command line. Clients and servers communicate using HTTP JSON-RPCs.

EthSigner prerequisites:

  • EthSigner’s password-protected PKCS #12 keystore.
  • File containing the keystore password.

Client TLS connection

Allow clients (for example a dApp, or curl) to send and receive secure HTTP JSON-RPCs.

Client prerequisites:

  • The client must be configured for TLS.
  • Client’s PKCS #12 keystore information.

Create the known clients file

Create a file (in this example, knownClients) that lists one or more clients that are trusted to connect to EthSigner. The file contents use the format <common_name> <hex-string> where:

  • <common_name> is the Common Name used for the client’s keystore
  • <hex-string> is the SHA-256 fingerprint of the client’s keystore.

Example

curl_client DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50

You can use OpenSSL or keytool to display the fingerprint. For example:

Example

keytool -list -v -keystore <keystore> -storetype PKCS12 -storepass <password>

Start EthSigner

ethsigner --tls-keystore-file=/Users/me/my_node/keystore.pfx --tls-keystore-password-file=/Users/me/my_node/keystorePassword --tls-known-clients-file=/Users/me/my_node/knownClients  --tls-allow-ca-clients

The command line:

Note

Use the --tls-allow-any-client option to allow access to any client.

--tls-allow-any-client cannot be used with tls-known-clients-file or --tls-allow-ca-clients.

Server TLS connection

Allow EthSigner to send and receive secure HTTP JSON-RPCs from the server (for example Besu).

Server prerequisites:

Create the known servers file

Create a file (in this example, knownServers) that lists one or more trusted servers. The file contents use the format <hostame>:<port> <hex-string> where:

  • <hostname> is the server hostname
  • <port> is the port used for communication
  • <hex-string> is the SHA-256 fingerprint of the server’s certificate.

Example

localhost:8590 6C:B2:3E:F9:88:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB
127.0.0.1:8590 6C:B2:3E:F9:88:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB

Note

Specify both hostname and IP address in the file if unsure which is used in requests.

Start EthSigner

ethsigner --downstream-http-tls-enabled --downstream-http-tls-keystore-file=/Users/me/my_node/keystore.pfx --downstream-http-tls-keystore-password-file=/Users/me/my_node/keyPassword --downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers

The command line:

Note

The --downstream-http-tls-ca-auth-enabled option is true by default and allows connections to servers with trusted root CAs.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on EthSigner Discord channel.
For paid professional support by Consensys, contact us at quorum@consensys.net