Configure TLS
You can configure TLS for communication between Teku and an external signer, for example Web3Signer.
info
The Teku and Web3Signer TLS configuration tutorial provides instructions to create the required keystores and configuration.
Prerequisites
Web3Signer prerequisites:
Teku prerequisites:
- Teku's password-protected PKCS12 or JKS keystore and password file.
- Web3Signer's password-protected PKCS12 or JKS truststore and password file.
- ETH1 client (for example Besu) synced to the required network.
Start Web3Signer
Start Web3Signer with the TLS configuration options and specify the keystore and known clients file.
web3signer \
  --key-store-path=/Users/me/keyFiles/                                          \
  --tls-keystore-file=/Users/me/certs/web3signer_keystore.p12                   \
  --tls-keystore-password-file=/Users/me/certs/web3signer_keystore_password.txt \
  --tls-known-clients-file=/Users/me/certs/knownClients.txt                     \
  eth2
note
Slashing protection is enabled by default when using the eth2 Web3Signer subcommand. If using Web3Signer slashing protection, ensure you configure your slashing protection database.
Start Teku
Start Teku with the external signer, keystore, and truststore details. For example:
teku \
  --network=holesky                                                                         \
  --eth1-endpoint=http://localhost:8545                                                     \
  --validators-external-signer-public-keys=0xa99a...e44c,0xb89b...4a0b                      \
  --validators-external-signer-url=https://localhost:9000                                   \
  --validators-external-signer-truststore=/Users/me/certs/web3signer_truststore.p12         \
  --validators-external-signer-truststore-password-file=/Users/me/certs/truststore_pass.txt \
  --validators-external-signer-keystore=/Users/me/certs/teku_client_keystore.p12            \
  --validators-external-signer-keystore-password-file=/Users/me/certs/teku_keystore_password.txt
In the command:
- Specify the network using --network.
- Specify the JSON-RPC URL of the execution layer client using --eth1-endpoint.
- Specify the validator's public keys using --validators-external-signer-public-keys.
- Specify the URL of the running external signer using --validators-external-signer-url.
- Specify the truststore and password file using validators-external-signer-truststoreandvalidators-external-signer-truststore-password-file.
- Specify the keystore and password file using validators-external-signer-keystoreandvalidators-external-signer-keystore-password-file.