Keystore is created using JDK's keytool command (OpenSSL can be used as well). First keystore is required for Web3Signer, second for client (such as Teku or curl). Pay special attention to specify CN for the client keystore/certificate as it is required by knownClients file in Web3Signer.
keytool -genkeypair -keystore web3signer_keystore.p12 -storetype PKCS12 -storepass MY_PASSWORD -alias SOME_ALIAS \
-keyalg RSA -keysize 2048 -validity 700 -dname "CN=localhost, OU=PegaSys, O=ConsenSys, L=Brisbane, ST=QLD, C=AU" \
-ext san=dns:localhost,ip:127.0.0.1
keytool -genkeypair -keystore client_keystore.p12 -storetype PKCS12 -storepass MY_PASSWORD -alias SOME_ALIAS \
-keyalg RSA -keysize 2048 -validity 700 -dname "CN=client, OU=PegaSys, O=ConsenSys, L=Brisbane, ST=QLD, C=AU" \
-ext san=dns:localhost,ip:127.0.0.1
Obtain client certificate sha-256 fingerprint to be used in knownClients file later on.
> keytool -list -v -keystore client_keystore.p12 -storetype PKCS12 -storepass MY_PASSWORD
...
Certificate fingerprints:
SHA1: 12:CA:86:0E:FE:BF:49:BD:AE:8C:C5:7F:2F:C3:48:3F:DA:EC:E2:9D
SHA256: CE:75:50:F1:09:C6:7B:2A:E0:C6:E5:61:75:27:7A:DC:F9:D4:52:57:39:D6:91:4A:E4:84:74:0C:8E:89:B4:E2
...
version: "3.9"
services:
web3signer:
image: consensys/web3signer:develop
command: --config-file=/var/config/config.yaml eth2
volumes:
- ./config:/var/config
ports:
- "9000:9000"
http-listen-host: "0.0.0.0"
http-listen-port: 9000
http-host-allowlist: "*"
key-store-path: /var/config/keys
# tls options
tls-keystore-file: /var/config/web3signer_keystore.p12
tls-keystore-password-file: /var/config/password.txt
tls-known-clients-file: /var/config/knownClients.txt
# tls-allow-any-client: true
# eth2 subcommand options
eth2.slashing-protection-enabled: false
client CE:75:50:F1:09:C6:7B:2A:E0:C6:E5:61:75:27:7A:DC:F9:D4:52:57:39:D6:91:4A:E4:84:74:0C:8E:89:B4:E2
docker compose up
...
docker_test-web3signer-1 | 2021-11-10 01:03:56.177+00:00 | pool-2-thread-1 | INFO | SignerLoader | Signer configuration metadata files read in memory 2 in 00:00:00.022
docker_test-web3signer-1 | 2021-11-10 01:03:56.183+00:00 | ForkJoinPool-1-worker-3 | INFO | SignerLoader | Parsing configuration metadata files
docker_test-web3signer-1 | 2021-11-10 01:03:58.201+00:00 | ForkJoinPool-1-worker-3 | INFO | BLS | BLS: loaded BLST library
docker_test-web3signer-1 | 2021-11-10 01:03:59.083+00:00 | ForkJoinPool-1-worker-3 | INFO | SignerLoader | Total configuration metadata files processed: 2
docker_test-web3signer-1 | 2021-11-10 01:03:59.083+00:00 | ForkJoinPool-1-worker-3 | INFO | SignerLoader | Total signers loaded from configuration files: 2 in 00:00:02.899
docker_test-web3signer-1 | 2021-11-10 01:03:59.090+00:00 | pool-2-thread-1 | INFO | DefaultArtifactSignerProvider | Total signers (keys) currently loaded in memory: 2
...
docker_test-web3signer-1 | 2021-11-10 01:04:00.435+00:00 | main | INFO | Runner | Web3Signer has started with TLS enabled, and ready to handle signing requests on 0.0.0.0:9000
...
curl --insecure --cert-type P12 --cert client_keystore.p12:password https://localhost:9000/upcheck
OK