Authenticate using TLS
You can authenticate incoming Quorum Key Manager (QKM) requests using mutual TLS authentication.
To use TLS mutual authentication, start QKM in SSL mode with the
command line options, and specify a TLS certificate authority (CA) certificate with the
Starting Quorum Key Manager with TLS authentication
key-manager run --https-enable --https-server-cert=tls.crt --https-server-key=tls.key --auth-tls-ca=ca.crt --manifest-path=/config/default.yml
The CA certificate must contain one or more CAs to validate client certificates presented to QKM.
If a client presents a valid certificate signed by one of the CAs, then the client is authenticated.
QKM extracts the following user information from the subject field of the client certificate:
- Username and optional tenant from the common name (CN) (for example,
- Roles from the certificate’s organization (O) (for example,
- Permissions from the certificate’s organization unit (OU) (for example,
You can use the
openssl command line tool to generate a certificate signing request:
Example certificate signing request
openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=auth0|alice/O=admin/OU=sign:eth1Account"