Skip to content
You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.
Last update: October 11, 2021

P2P TLS

You can configure TLS to secure the P2P communication between nodes by ensuring only authorized nodes can communicate with each other. Use certificates issued by a trusted authority to connect authorized nodes in the network.

Warning

P2P TLS is an early access feature, and functionality and options may be updated between releases.

Besu supports PKCS11, PKCS12, and JKS keystore and truststore types for P2P TLS.

Configure P2P TLS

Prerequisites:

  • A configured network. For example, see steps 1 to 5 in the QBFT tutorial.
  • Each node requires a keystore that contains the node’s certificate and key.
  • A truststore containing all the trusted certificates for the network.

Start Besu and include the following command line options on the required nodes:

besu --Xp2p-tls-enabled=true \
--Xp2p-tls-keystore-type="PKCS12" \
--Xp2p-tls-keystore-file="keystore" \
--Xp2p-tls-keystore-password-file="keystore.password" \
--Xp2p-tls-crl-file="crl2.pem" \
--Xp2p-tls-truststore-type="JKS" \
--Xp2p-tls-truststore-file="truststore.jks" \
--Xp2p-tls-truststore-password-file="truststore_password.txt"

In the command line:

Command line options

Xp2p-tls-crl-file

--Xp2p-tls-crl-file=<FILE>
--Xp2p-tls-crl-file=/home/cert/cert.crl.pem
BESU_XP2P_TLS_CRL_FILE=/home/cert/cert.crl.pem

Path to the optional certificate revocation list (CRL) file.

Xp2p-tls-enabled

--Xp2p-tls-enabled[=<true|false>]
--Xp2p-tls-enabled=true
BESU_XP2P_TLS_ENABLED=true

Enable TLS for P2P communication. The default is false.

Xp2p-tls-keystore-file

--Xp2p-tls-keystore-file=<FILE>
--Xp2p-tls-keystore-file=/home/cert/keystore.jks
BESU_XP2P_TLS_KEYSTORE_FILE=/home/cert/keystore.jks

Keystore file containing the key and certificate to allow TLS for P2P communication.

Xp2p-tls-keystore-password-file

--Xp2p-tls-keystore-password-file=<FILE>
--Xp2p-tls-keystore-password-file=/home/cert/password.txt
BESU_XP2P_TLS_KEYSTORE_PASSWORD_FILE=/home/cert/password.txt

Text file containing the password to unlock the keystore file.

Xp2p-tls-keystore-type

--Xp2p-tls-keystore-type=<TYPE>
--Xp2p-tls-keystore-type=JKS
BESU_XP2P_TLS_KEYSTORE_TYPE=JKS

Keystore type that allows TLS for P2P communication. Valid options are JKS, PKCS11, and PKCS12. The default is JKS.

Xp2p-tls-truststore-file

--Xp2p-tls-truststore-file=<FILE>
--Xp2p-tls-truststore-file=/home/cert/truststore.jks
BESU_XP2P_TLS_TRUSTSTORE_FILE=/home/cert/truststore.jks

Truststore containing the trusted certificates that allows TLS for P2P communication.

Xp2p-tls-truststore-password-file

--Xp2p-tls-truststore-password-file=<FILE>
--Xp2p-tls-truststore-password-file=/home/cert/password.txt
BESU_XP2P_TLS_TRUSTSTORE_PASSWORD_FILE=/home/cert/password.txt

Text file containing the password to unlock the truststore file.

Xp2p-tls-truststore-type

--Xp2p-tls-truststore-type=<TYPE>
--Xp2p-tls-truststore-type=JKS
BESU_XP2P_TLS_TRUSTSTORE_TYPE=JKS

Truststore type. Valid options are JKS, PKCS11, and PKCS12. The default is JKS.

Questions or feedback? You can discuss issues and obtain free support on Hyperledger Besu chat channel.
For Hyperledger Besu community support, contact the mailing list besu@lists.hyperledger.org