This guide explains how to generate SSL certificates to run a Signum Node locally with HTTPS enabled.
Ensure you have openssl installed on your system. You can verify this by running the following command:
openssl versionIf not installed, you can install it using your package manager (e.g., brew install openssl on macOS,
sudo apt install openssl on Ubuntu).
-
Generate a private key
Use the following command to generate a private RSA key:
openssl genpkey -algorithm RSA -out localhost.pem
-
Generate a self-signed certificate
With the private key, create a self-signed certificate valid for 365 days:
openssl req -x509 -new -key localhost.pem -out localhost_chain.pem -days 365
You will be prompted to fill in some details like Country, State, and Common Name. For local development, you can use
localhostas the Common Name (CN). -
Generate a keystore
Finally, create a PKCS#12 keystore that bundles the private key and certificate together:
openssl pkcs12 -export -inkey localhost.pem -in localhost_chain.pem -out localhost_keystore.p12 -name "localhost" -password pass:developmentThis creates a keystore named
localhost_keystore.p12protected with the passworddevelopment.
In your node.properties file, enable SSL for the API and point to the newly created keystore. Add or update the
following lines:
API.SSL=on
API.SSL_keyStorePath=./localhost_keystore.p12
API.SSL_keyStorePassword=development- Restart the Signum Node to apply the changes.
- Your Signum Node should now be running locally with SSL enabled.
You can access it using https://localhost:<your_port> and/or wss://localhost:<your_port>/events with the port number
configured for your node.
Certbot is a tool used to automate the process of obtaining and renewing SSL certificates from Let's Encrypt or other Certificate Authorities. This guide explains how to use Certbot to generate SSL certificates for running a Signum Node locally.
-
Certbot installation: Ensure Certbot is installed. You can check by running:
certbot --version
If it's not installed, follow the official installation guide for your system.
-
Domain name: To use Certbot, you need a publicly accessible domain (Certbot won't work for pure localhost setups). If you are running a local node accessible from the internet (e.g., via a reverse proxy like Nginx), you'll need a registered domain name pointing to your local machine.
-
Port forwarding (optional): If your node is not publicly accessible, you may need to set up port forwarding to allow Certbot to perform HTTP-01 or DNS-01 validation.
Run Certbot to obtain a certificate for your domain. Replace yourdomain.com with your actual domain name.
sudo certbot certonly --standalone -d yourdomain.comCertbot will generate the necessary files, including the certificate (.crt) and private key (.key).
By default, these will be stored in /etc/letsencrypt/live/yourdomain.com/.
The Signum Node looks into the "letsencryptpath" and converts it to the necesary keystore file. No further action necessary here.
In your node.properties file, enable SSL for the API and configure the path to the Certbot-generated keystore:
API.SSL=on
# the file name of your keystore file. Let's Encrypt Cert will be automatically converted and stored under this path.
API.SSL_keyStorePath=./keystore.p12
API.SSL_keyStorePassword=<your_password>
# your path of letsencrypt certs. The Node looks for "privkey.pem" and "fullchain.pem" files
API.SSL_letsencryptPath=/etc/letsencrypt/live/<yourdomain>.comCertbot certificates expire every 90 days. You can automate the renewal process using Certbot's cron job feature.
Signum Nodes reloads the certificate on startup and/or every 7 days while running
-
Set up a cron job to automatically renew certificates:
sudo crontab -e
-
Add the following line to renew certificates automatically:
0 0 * * * certbot renew --quiet
- Restart your Signum Node after the certificate is created and the
node.propertiesfile is updated. - Access the Signum Node using
https://yourdomain.com:<your_port>.