Securing your gRPC connections
This section will help advanced users create and setup TLS certificates to allow for secure gRPC connections to their beacon nodes.
Pro-Tip
The only practical use for using secure gRPC is in the case of connecting a beacon node that is being hosted remotely. For configurations in which the beacon node and validator reside on the same host system, these steps are not required nor recommended.
A beacon node, by default, hosts a gRPC server on host 127.0.0.1 and port 4000, allowing any other process, such as a validator client, to establish an insecure connection on that port. The beacon node can also allow for secure, TLS connections if ran with the --tls-cert=/path/to/cert.pem and --tls-key=/path/to/cert.key flags, ensuring all connections via gRPC are secured.
A validator client will attempt to connect to a beacon node by default with an insecure connection, but can be a secure TLS connection by using a --tls-cert=/path/to/cert.pem flag, utilising either a server pem certificate or a ca.cert certificate authority file. Assuming a TLS certificate has already been set up with a trusted authority for your beacon node, use the commands below to launch the node and validator. Otherwise, review the following section on creating your own self-signed certificates.
To use secure gRPC with a beacon node:
./prysm.sh beacon-node --tls-cert=server.pem --tls-key=server.keyand to use secure gRPC with a validator:
./prysm.sh validator --tls-cert=server.pemAlternatively, a ca.cert certificate authority file can be passed to the validator to attempt a connection without requiring the server's certificate itself:
./prysm.sh validator --tls-cert=ca.certThis will generate an output like so:
[2020-06-15 17:09:13] INFO validator: Established secure gRPC connectionGenerating self-signed TLS certificates#
NOTICE: Creating a self-signed certificate is fine for simple TLS connections, though if the deployment will see public usage, it is always recommended to obtain valid certificates from a trusted certificate authority instead.
Install openssl for your operating system.
Create a root signing key:
openssl genrsa -out ca.key 4096Create a self-signed root certificate
openssl req -new -x509 -key ca.key -sha256 -subj "/C=US/ST=NJ/O=CA, Inc." -days 365 -out ca.certCreate a key certificate for the beacon node:
openssl genrsa -out beacon.key 4096Generate a signing CSR by first creating a
certificate.confconfiguration file containing the specifications. For reference, you can use something as follows with any of its fields customized to your needs:[req]default_bits = 4096prompt = nodefault_md = sha256req_extensions = req_extdistinguished_name = dn[dn]C = USST = NJO = Test, Inc.CN = localhost[req_ext]subjectAltName = @alt_names[alt_names]DNS.1 = localhostIP.1 = ::1IP.2 = 127.0.0.1Generate the signing CSR:
openssl req -new -key beacon.key -out beacon.csr -config certificate.confGenerate a certificate for the beacon node:
openssl x509 -req -in beacon.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out beacon.pem -days 365 -sha256 -extfile certificate.conf -extensions req_extVerify your certificate is correct with openssl:
openssl x509 -in beacon.pem -text -nooutThis will generate an output like so:
Certificate: Data: Version: 3 (0x2) Serial Number: 12510557889986420634 (0xad9e6e1dfe99df9a) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=NJ, O=CA, Inc. Validity Not Before: Jun 15 21:12:24 2020 GMT Not After : Jun 15 21:12:24 2021 GMT Subject: C=US, ST=NJ, O=Test, Inc., CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit)
Using the new certificates#
Use the certificates to launch the beacon node:
./prysm.sh beacon-node --tls-cert=beacon.pem --tls-key=beacon.keyAs well as a validator:
./prysm.sh validator --tls-cert=ca.certThis will generate an output like so:
[2020-06-15 17:09:13] INFO validator: Established secure gRPC connection