Skip to content

Setting Up Web3Signer

  1. Download and unzip web3signer package.
wget https://artifacts.consensys.net/public/web3signer/raw/names/web3signer.tar.gz/versions/latest/web3signer.tar.gz
tar -xvzf web3signer.tar.gz
  1. Make the web3signer command as the system command.
echo 'export PATH=$PATH:/home/web3signer-25.2.0/bin'>> ~/.bashrc 
source ~/.bashrc
echo 'export PATH=$PATH:/home/web3signer-25.2.0/bin'>> ~/.zshrc 
source ~/.zshrc

  1. clone and copy the keystores for web3signer.

  2. Make the certification and other files needs for web3signer.

  • Generate the Web3Signer keystore ( You can use the ngrok for testing with the domain name ).
keytool -genkeypair -keystore web3signer_keystore.p12 -storetype PKCS12 -storepass changeit -alias web3signer -keyalg RSA -keysize 2048 -validity 109500 -dname "CN=domain.example.com, OU=PegaSys, O=ConsenSys, L=Brisbane, ST=QLD, C=AU" -ext san=dns:domain.example.com,ip:YOUR_IP_ADDRESS
  • Create a plain text file (for example web3signer_keystore_password.txt) that stores the password(for example: changeit in this case) used to create the keystore.
sudo nano web3signer_keystore_password.txt
  • Export the Web3Signer public certificate from the Web3Signer keystore to PEM format.
keytool -exportcert -keystore ./web3signer_keystore.p12 -alias web3signer -rfc -file web3signer.pem
  • Import the public certificate into a truststore to be used by client, and type yes if asked to trust the certificate.
keytool -importcert -storetype PKCS12 -keystore web3signer_truststore.p12 -alias web3signer -trustcacerts -storepass changeit -file ./web3signer.pem
  • Create a plain text file (for example truststore_pass.txt) that stores the password(for example: changeit in this case) used to create the keystore.
sudo nano truststore_pass.txt
  • Generate a new private key
openssl genpkey -algorithm RSA -out private.key
  • Create a certificate signing request (CSR)
openssl req -new -key private.key -out request.csr
  • Combine private key and certificate into a PEM file
cat web3signer.pem private.key > combined.pem
  1. Start the web3signer server.
web3signer --http-listen-host 0.0.0.0 --http-host-allowlist '*' --tls-allow-any-client true --tls-keystore-file /$WEB3SIGNER_PATH/web3signer_keystore.p12 --tls-keystore-password-file /$WEB3SIGNER_PATH/web3signer_keystore_password.txt eth2 --network mainnet --keystores-path /$WEB3SIGNER_PATH/keystore/keys  --keystores-passwords-path /$WEB3SIGNER_PATH/keystore/secrets --slashing-protection-enabled false --commit-boost-api-enabled true --proxy-keystores-path /$WEB3SIGNER_PATH/keystore/keys --proxy-keystores-password-file /$WEB3SIGNER_PATH/keystore/secrets

Connect to web3signer server.

  1. Make the certification file.
  • Make san.cnf
	[req]
	default_bits = 4096
	prompt = no
	default_md = sha256
	distinguished_name = dn
	req_extensions = req_ext
	
	[dn]
	CN = domain.example.com
	
	[req_ext]
	subjectAltName = IP:YOUR_IP_ADDRESS
	keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
  • Make csr
openssl req -new -key combined.pem -out w3s.csr -config san.cnf
  • Make the key
openssl genpkey -algorithm RSA -out w3s.key -pkeyopt rsa_keygen_bits:4096
  • Self-Signed CA
openssl req -x509 -new -nodes -key w3s.key -sha256 -days 3650 -out my_ca.crt -subj "/CN=domain.example.com"
  • Sign cert
openssl x509 -req -in w3s.csr -CA my_ca.crt -CAkey w3s.key -CAcreateserial -out w3s.crt -days 3650 -extensions req_ext -extfile san.cnf
  • Check cert
openssl x509 -in w3s.crt -noout -text

Now you can run the sidecar after setting the domain url of the web3signer, the cert path and the pem path. For example

WEB3SIGNER_URL=https://623a-2a01-4ff-f0-4039-00-1.ngrok-free.app
CA_CERT_PATH=/root/kartos/web3signer-25.2.0/crt/w3s.crt
CLIENT_COMBINED_PEM_PATH=/root/kartos/web3signer-25.2.0/crt/my_cert.pem