Skip to main content

Configure P2P TLS

You can configure TLS to secure the P2P communication between nodes by ensuring only authorized nodes can communicate with each other. Use certificates issued by a trusted authority to connect authorized nodes in the network.

caution

P2P TLS is an early access feature, and functionality and options may be updated between releases.

Besu supports PKCS11, PKCS12, and JKS keystore and truststore types for P2P TLS.

Configure P2P TLS

Prerequisites:

  • A configured network. For example, see steps 1 to 5 in the QBFT tutorial.
  • Each node requires a keystore that contains the node's certificate and key.
  • A truststore containing all the trusted certificates for the network.

Start Besu and include the following command line options on the required nodes:

besu --Xp2p-tls-enabled=true \
--Xp2p-tls-keystore-type="PKCS12" \
--Xp2p-tls-keystore-file="keystore" \
--Xp2p-tls-keystore-password-file="keystore.password" \
--Xp2p-tls-crl-file="crl2.pem" \
--Xp2p-tls-truststore-type="JKS" \
--Xp2p-tls-truststore-file="truststore.jks" \
--Xp2p-tls-truststore-password-file="truststore_password.txt"

In the command line:

Command line options

Xp2p-tls-crl-file

--Xp2p-tls-crl-file=<FILE>

Path to the optional certificate revocation list (CRL) file.

Xp2p-tls-enabled

--Xp2p-tls-enabled[=<true|false>]

Enable TLS for P2P communication. The default is false.

Xp2p-tls-keystore-file

--Xp2p-tls-keystore-file=<FILE>

Keystore file containing the key and certificate to allow TLS for P2P communication.

Xp2p-tls-keystore-password-file

--Xp2p-tls-keystore-password-file=<FILE>

Text file containing the password to unlock the keystore file.

Xp2p-tls-keystore-type

--Xp2p-tls-keystore-type=<TYPE>

Keystore type that allows TLS for P2P communication. Valid options are JKS, PKCS11, and PKCS12. The default is JKS.

Xp2p-tls-truststore-file

--Xp2p-tls-truststore-file=<FILE>

Truststore containing the trusted certificates that allows TLS for P2P communication.

Xp2p-tls-truststore-password-file

--Xp2p-tls-truststore-password-file=<FILE>

Text file containing the password to unlock the truststore file.

Xp2p-tls-truststore-type

--Xp2p-tls-truststore-type=<TYPE>

Truststore type. Valid options are JKS, PKCS11, and PKCS12. The default is JKS.