Skip to content
You are reading Quorum Key Manager development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Authenticate using TLS

You can authenticate incoming Quorum Key Manager (QKM) requests using mutual TLS authentication.

To use TLS mutual authentication, start QKM in SSL mode with the --https-enable, --https-server-cert, and --https-server-key command line options, and specify a TLS certificate authority (CA) certificate with the --auth-tls-ca option.

Starting Quorum Key Manager with TLS authentication

key-manager run --https-enable --https-server-cert=tls.crt --https-server-key=tls.key --auth-tls-ca=ca.crt --manifest-path=/config/default.yml

TLS certificate

The CA certificate must contain one or more CAs to validate client certificates presented to QKM.

If a client presents a valid certificate signed by one of the CAs, then the client is authenticated.

QKM extracts the following user information from the subject field of the client certificate:

  • Username and optional tenant from the common name (CN) (for example, /CN=tenant|user or /CN=user)
  • Roles from the certificate’s organization (O) (for example, /O=role1/O=role2)
  • Permissions from the certificate’s organization unit (OU) (for example, /OU=*:read/OU=secret:write)

You can use the openssl command line tool to generate a certificate signing request:

Example certificate signing request

openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=auth0|alice/O=admin/OU=sign:eth1Account"
Questions or feedback? You can discuss issues and obtain free support on Quorum Key Manager Discord channel.
For paid professional support by Consensys, contact us at [email protected].