Skip to main content

Setup Private P12 Key

You are ready to setup your Node's wallet which will be done directly on our instance.


Log into your node

From your local system, log into your cloud instance's terminal as nodeadmin using your Apple terminal, Window's PuTTY, or your terminal application of choice.


You can remind yourself how to access your VPS here for Macintosh or Windows.

Update node

Bring our Node up to date

sudo apt -y update && sudo apt -y upgrade

You will be prompted for your nodeadmin password.


Your screen will not react and your password will not show as you type.
Reminder: [...] in the output command examples means that there is a bunch of output that has been redacted to eliminate confusion.

[sudo] password for nodeadmin:

Create Tessellation directory

Create a directory in your user's home directory to hold some Tessellation files.

cd ~
mkdir tessellation

Let's remind ourselves what our Node's external IP address is (copy it for later).

curl -s

It is NOT RECOMMENDED to use a p12 file that is already in use for other purposes. You should create a new clean p12. If you still insist, and you have an existing .p12 file, you can SFTP the file over to your Node.

Transfer existing P12

Place your existing .p12 file in your tessellation directory.


Create a new P12 private key


Do not use the same passphrases of existing Nodes on Constellation, or any other Nodes from other projects. This is dangerous and bad practice.

You need to store your passphrases securely.

If you lose your p12 credentials, there is nothing that can be done.

Click here to get an explanation of passphrases verses passwords.

Create passphrase

We now need to create our passphrase for our .p12 wallet on our Node.


Our passphrase should be at least 10 or more characters.

Contains more than 1 special characters
Contains more than 1 Capital letter
Contains more than 1 Lowercase letters
Contains more than 1 Numbers
Do not use quotes " in your passphrase. (Advanced users can escape quotes.)
Do not use special character $ in your passphrase. (Advanced users can attempt to escape.)
Do not use recognizable words

Do not use the same passphrase (or other details) in the example below ๐Ÿ‘‡! But, you can use something similar to the example below ๐Ÿ‘‡

Create environment variables

We need to create some environment variables that will be used during the lifetime of the node. We will create a bash script for this purpose, and give it the name cn-node. We will come back to this script to update it later on during our configuration process.

For ease of usage, we will use Linux Nano Editor for this process, if you are a more advanced user, you can use Vim, or any other editor of your choice.

sudo nano /usr/local/bin/cn-node

How to use the nano text editor is out of scope of this document; however, you can read up on how to create, edit and save a document at this link: How to Use Nano, the Linux Command Line Text Editor

You will need:

  • Your external IP address of your Node. (Marked down at the beginning steps above ๐Ÿ‘†)
  • You will create a name that you would like to call your p12 file.
  • You will create a passphrase you came up with using requirements above ๐Ÿ‘†.
  • You will create an alias that you would like to use against your .p12 file and the life of your Node. Your alias is public facing.
Developer Note

The Key passphrase CL_KEYPASS has been changed to CL_PASSWORD, for the .p12 creation process.


Do not use the same passphrase, alias, or p12 files name as in the examples here.

We have created our Node with the nodeadmin username. If you agreed and used the same, that is the only variable that should be kept the same as the examples below.

Environment variables chart

Node UsernamenodeadminIf you used this name for your user while you followed these instructions, that is perfect, no need to change this variable in the example below . You will use this in the path of CL_KEYSTORE variable line.
CL_EXTERNAL111.111.111.111Our Node's remote IP address
CL_KEYSTOREmyconstellation.p12This will be placed at the end of the path CL_KEYSTORE line in the file.
CL_KEYALIASmyConstellationAliasDo not use this example, come up with your own.
CL_EXTERNAL111.111.111.111Our Node's (remote) external IP address. We reminded ourselves about this early on this page... See above

MainNet 2.0 Dual Layer Requirements

CL_L0_PEER_HTTP_HOSTIP addressThis is recommended to be your Node's external IP address. Your Node will be participating on both Layer0 and Layer1. The Layer1 should link through your Layer0 connection. Your Node will be the most reliable Node to be UP at the time your attempt to join the Hypergraph.
CL_L0_PEER_IDabcde...abcdeThe Node ID of the Node you will be linking with on Layer0.
CL_L0_PEER_HTTP_PORT9000The public port of the Node you are linking to through Layer0.

Create bash shell script

Create a text file that will be saved as a bash shell script. When executed this will add some environment variables to your local environment where the script was run, these environment variables are ephemeral per user session.


This process may be deprecated in the near future; however, it is good to have in place for now.

You can use a text editor that comes standard with most flavors of Debian nano.

Change directories to /usr/local/bin

cd /usr/local/bin

We will be creating our cn-node file as super user (sudo)

Nano Quick Notes
  • sudo nano cn-cnode will start the program
  • use your keyboard arrows to navigate (not your mouse)
  • ctrl-o or command-o ( letter o ) will save the contents of the file
  • give the file a name (cn-node)
  • ctrl-x or command-x to exit the editor

Add the following to our cn-node text file

export CL_KEYALIAS="myConstellationAlias"
export CL_KEYSTORE="/home/nodeadmin/tessellation/myconstellation.p12"
export CL_APP_ENV="testnet"
export CL_P2P_HTTP_PORT=9001

When your file looks mostly similar to the above ๐Ÿ‘†. You will use Nano Quick Notes above ๐Ÿ‘† to save the file out.

We want to make this file executable.

sudo chmod +x /usr/local/bin/cn-node

Run bash script

Run the bash script we just created by sourcing with the . so that it runs in our environment.


In this example we are connecting to testnet

. cn-node

Let's check that the environment variables were added to our current shell environment. Your results may not be the in the same order, this doesn't matter.

env | grep CL_



Create a temporary env variable


We do not want to have our p12 passphrase added to a static plain text file. Our p12 file is our private key file that stores valuable information. If the passphrase is exposed, you can have access to the MainNet, Metagraph, TestNet, etc. compromised, including access to wallets. This is a bad idea.

Instead, we will create a temporary environment variable prior to building our p12 file. The export we do below will only survive the current working session, and it will be lost after we log out.

export CL_PASSWORD="place_your_passphrase_here"

Please be sure to follow the passphrase guidelines above ๐Ÿ‘† and place your passphrase between the " (quotes).

Create your .P12 file

Change directories to our dedicated tessellation folder.

cd ~/tessellation

Generate your P12 private key


We will not use the sudo command here. This will create our p12 file with the ownership belonging to nodeadmin

java -jar /var/tessellation/cl-keytool.jar generate

Verify P12 file

Let's verify that we have a .p12 file.


The size and dates may not match, this doesn't matter.


The 2 l are the lower-case letter L not the number 1 (ls -l)

ls -l


-rw-rw-r-- 1 nodeadmin nodeadmin 1110 Oct 28 21:38 myconstellation.p12

Update permissions


Change the permissions of this file so only you can read and write to it.

chmod 600 ~/tessellation/myconstellation.p12
ls -l


-rw------- 1 nodeadmin nodeadmin 1110 Oct 28 21:38 myconstellation.p12

After a good amount of work and effort, we have our .p12 file!