Skip to main content

Block proposal permissioning


Only private networks using the QBFT consensus protocol support block proposal permissioning.

Block proposal permissioning is an early access feature, and functionality and options may be updated between releases.

You can configure block proposal permissioning to ensure only authorized validator nodes can propose blocks in the network.

Use certificates issued by a trusted authority to ensure validators are authorized to propose blocks.

Configure block proposal permissioning


  • A configured network. For example, see steps 1 to 5 in the QBFT tutorial.
  • A keystore containing the certificate and key for each network node.
  • A truststore containing all the trusted certificates for the network.

Start Besu and include the following command line options on the required nodes:

besu --Xpki-block-creation-enabled=true \
--Xpki-block-creation-keystore-type="pkcs12" \
--Xpki-block-creation-keystore-file="keystore" \
--Xpki-block-creation-keystore-password-file="keystore.password" \
--Xpki-block-creation-crl-file="crl2.pem" \
--Xpki-block-creation-keystore-certificate-alias="validator" \
--Xpki-block-creation-truststore-type="pkcs12" \
--Xpki-block-creation-truststore-file="truststore" \

In the command line:

Command line options



Path to the optional certificate revocation list (CRL) file.



Enable PKI integration. The default is false.



Alias of the certificate to be included in the blocks proposed by this validator. The default is validator.



Keystore file containing the key and certificate for PKI block creation.



Text file containing the password to unlock the keystore file.



PKI keystore type. Valid options are JKS and PKCS12. The default is JKS.



Truststore containing the trusted certificates for PKI block creation.



Text file containing the password to unlock the truststore file.



PKI truststore type. Valid options are JKS and PKCS12. The default is JKS.