Configure P2P TLS
You can configure TLS to secure the P2P communication between nodes by ensuring only authorized nodes can communicate with each other. Use certificates issued by a trusted authority to connect authorized nodes in the network.
P2P TLS is an early access feature, and functionality and options may be updated between releases.
Besu supports PKCS11, PKCS12, and JKS keystore and truststore types for P2P TLS.
Configure P2P TLS
Prerequisites:
- A configured network. For example, see steps 1 to 5 in the QBFT tutorial.
- Each node requires a keystore that contains the node's certificate and key.
- A truststore containing all the trusted certificates for the network.
Start Besu and include the following command line options on the required nodes:
besu --Xp2p-tls-enabled=true \
--Xp2p-tls-keystore-type="PKCS12" \
--Xp2p-tls-keystore-file="keystore" \
--Xp2p-tls-keystore-password-file="keystore.password" \
--Xp2p-tls-crl-file="crl2.pem" \
--Xp2p-tls-truststore-type="JKS" \
--Xp2p-tls-truststore-file="truststore.jks" \
--Xp2p-tls-truststore-password-file="truststore_password.txt"
In the command line:
- Enable TLS for P2P communication using
--Xp2p-tls-enabled=true. - Specify the keystore type and keystore file using
--Xp2p-tls-keystore-typeand--Xp2p-tls-keystore-file. - Specify the text file containing the password to unlock the keystore file using
--Xp2p-tls-keystore-password-file. - Specify the optional certificate revocation list (CRL) file using
--Xp2p-tls-crl-file. - Specify the truststore type and truststore file using
--Xp2p-tls-truststore-typeand--Xp2p-tls-truststore-file. - Specify the text file containing the password to unlock the truststore file using
--Xp2p-tls-truststore-password-file.
Command line options
Xp2p-tls-crl-file
Syntax
--Xp2p-tls-crl-file=<FILE>
Example
--Xp2p-tls-crl-file=/home/cert/cert.crl.pem
Environment variable
BESU_XP2P_TLS_CRL_FILE=/home/cert/cert.crl.pem
Path to the optional certificate revocation list (CRL) file.
Xp2p-tls-enabled
Syntax
--Xp2p-tls-enabled[=<true|false>]
Example
--Xp2p-tls-enabled=true
Environment variable
BESU_XP2P_TLS_ENABLED=true
Enable TLS for P2P communication. The default is false.
Xp2p-tls-keystore-file
Syntax
--Xp2p-tls-keystore-file=<FILE>
Example
--Xp2p-tls-keystore-file=/home/cert/keystore.jks
Environment variable
BESU_XP2P_TLS_KEYSTORE_FILE=/home/cert/keystore.jks
Keystore file containing the key and certificate to allow TLS for P2P communication.
Xp2p-tls-keystore-password-file
Syntax
--Xp2p-tls-keystore-password-file=<FILE>
Example
--Xp2p-tls-keystore-password-file=/home/cert/password.txt
Environment variable
BESU_XP2P_TLS_KEYSTORE_PASSWORD_FILE=/home/cert/password.txt
Text file containing the password to unlock the keystore file.
Xp2p-tls-keystore-type
Syntax
--Xp2p-tls-keystore-type=<TYPE>
Example
--Xp2p-tls-keystore-type=JKS
Environment variable
BESU_XP2P_TLS_KEYSTORE_TYPE=JKS
Keystore type that allows TLS for P2P communication. Valid options are JKS, PKCS11, and PKCS12. The default is JKS.
Xp2p-tls-truststore-file
Syntax
--Xp2p-tls-truststore-file=<FILE>
Example
--Xp2p-tls-truststore-file=/home/cert/truststore.jks
Environment variable
BESU_XP2P_TLS_TRUSTSTORE_FILE=/home/cert/truststore.jks
Truststore containing the trusted certificates that allows TLS for P2P communication.
Xp2p-tls-truststore-password-file
Syntax
--Xp2p-tls-truststore-password-file=<FILE>
Example
--Xp2p-tls-truststore-password-file=/home/cert/password.txt
Environment variable
BESU_XP2P_TLS_TRUSTSTORE_PASSWORD_FILE=/home/cert/password.txt
Text file containing the password to unlock the truststore file.
Xp2p-tls-truststore-type
Syntax
--Xp2p-tls-truststore-type=<TYPE>
Example
--Xp2p-tls-truststore-type=JKS
Environment variable
BESU_XP2P_TLS_TRUSTSTORE_TYPE=JKS
Truststore type. Valid options are JKS, PKCS11, and PKCS12. The default is JKS.