Skip to content
You are reading the Teku development version documentation and some features may not be available in the stable release. You can switch to the stable version using the version box at the bottom of the screen.

Updated on April 27, 2021

Configure TLS

You can configure TLS for communication between Teku and an external signer, for example Web3Signer.


The Teku and Web3Signer TLS configuration tutorial provides instructions to create the required keystores and configuration.


Web3Signer prerequisites:

Teku prerequisites:

Start Web3Signer

Start Web3Signer with the TLS configuration options and specify the keystore and known clients file.

web3signer --key-store-path=/Users/me/keyFiles/ \
--tls-keystore-file=/Users/me/certs/web3signer_keystore.p12 \
--tls-keystore-password-file=/Users/me/certs/web3signer_keystore_password.txt \
--tls-known-clients-file=/Users/me/certs/knownClients.txt \


Slashing protection is enabled by default when using the eth2 Web3Signer subcommand. If using Web3Signer slashing protection, ensure you configure your slashing protection database.

Start Teku

Start Teku with the external signer, keystore, and truststore details:

teku --network=pyrmont \
--eth1-endpoint=http://localhost:8545 \
--validators-external-signer-public-keys=0xa99a...e44c,0xb89b...4a0b \
--validators-external-signer-url=https://localhost:9000 \
--validators-external-signer-truststore=/Users/me/certs/web3signer_truststore.p12 \
--validators-external-signer-truststore-password-file=/Users/me/certs/truststore_pass.txt \
--validators-external-signer-keystore=/Users/me/certs/teku_client_keystore.p12 \

In the command:

Questions or feedback? You can discuss issues and obtain free support on Teku Discord channel.
For paid professional support by Consensys, contact us at