diff --git a/node/config.go b/node/config.go
index 75d9fbef0..60fd88129 100644
--- a/node/config.go
+++ b/node/config.go
@@ -77,6 +77,7 @@ type Config struct {
 	BLSRemoteSignerUrl             string
 	BLSPublicKeyHex                string
 	BLSKeyPassword                 string
+	BLSSignerTLSCertFilePath       string
 
 	EthClientConfig geth.EthClientConfig
 	LoggerConfig    common.LoggerConfig
@@ -149,11 +150,14 @@ func NewConfig(ctx *cli.Context) (*Config, error) {
 	// Decrypt BLS key
 	var privateBls string
 	if !testMode {
-		kp, err := bls.ReadPrivateKeyFromFile(ctx.GlobalString(flags.BlsKeyFileFlag.Name), "")
-		if err != nil {
-			return nil, fmt.Errorf("could not read or decrypt the BLS private key: %v", err)
+		// Don't read if remote signer is used
+		if ctx.GlobalString(flags.BLSRemoteSignerUrlFlag.Name) != "" && ctx.GlobalString(flags.BLSPublicKeyHexFlag.Name) != "" {
+			kp, err := bls.ReadPrivateKeyFromFile(ctx.GlobalString(flags.BlsKeyFileFlag.Name), ctx.GlobalString(flags.BlsKeyPasswordFlag.Name))
+			if err != nil {
+				return nil, fmt.Errorf("could not read or decrypt the BLS private key: %v", err)
+			}
+			privateBls = kp.PrivKey.String()
 		}
-		privateBls = kp.PrivKey.String()
 	} else {
 		privateBls = ctx.GlobalString(flags.TestPrivateBlsFlag.Name)
 	}
@@ -211,5 +215,6 @@ func NewConfig(ctx *cli.Context) (*Config, error) {
 		BLSRemoteSignerUrl:             ctx.GlobalString(flags.BLSRemoteSignerUrlFlag.Name),
 		BLSPublicKeyHex:                ctx.GlobalString(flags.BLSPublicKeyHexFlag.Name),
 		BLSKeyPassword:                 ctx.GlobalString(flags.BlsKeyPasswordFlag.Name),
+		BLSSignerTLSCertFilePath:       ctx.GlobalString(flags.BLSSignerCertFileFlag.Name),
 	}, nil
 }
diff --git a/node/flags/flags.go b/node/flags/flags.go
index 9e2e49181..483a1de7e 100644
--- a/node/flags/flags.go
+++ b/node/flags/flags.go
@@ -286,6 +286,13 @@ var (
 		Required: false,
 		EnvVar:   common.PrefixEnvVar(EnvVarPrefix, "BLS_PUBLIC_KEY_HEX"),
 	}
+
+	BLSSignerCertFileFlag = cli.StringFlag{
+		Name:     common.PrefixFlag(FlagPrefix, "bls-signer-cert-file"),
+		Usage:    "The path to the BLS signer certificate file",
+		Required: false,
+		EnvVar:   common.PrefixEnvVar(EnvVarPrefix, "BLS_SIGNER_CERT_FILE"),
+	}
 )
 
 var requiredFlags = []cli.Flag{
@@ -330,6 +337,7 @@ var optionalFlags = []cli.Flag{
 	EnableGnarkBundleEncodingFlag,
 	BLSRemoteSignerUrlFlag,
 	BLSPublicKeyHexFlag,
+	BLSSignerCertFileFlag,
 }
 
 func init() {
diff --git a/node/node.go b/node/node.go
index a848a3a31..999c5e448 100644
--- a/node/node.go
+++ b/node/node.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"google.golang.org/grpc/credentials"
 	"io"
 	"math"
 	"math/big"
@@ -85,16 +86,8 @@ func NewNode(reg *prometheus.Registry, config *Config, pubIPProvider pubip.Provi
 	eigenMetrics := metrics.NewEigenMetrics(AppName, ":"+config.MetricsPort, reg, logger.With("component", "EigenMetrics"))
 	rpcCallsCollector := rpccalls.NewCollector(AppName, reg)
 
-	// Generate BLS keys
-	keyPair, err := core.MakeKeyPairFromString(config.PrivateBls)
-	if err != nil {
-		return nil, err
-	}
-
-	config.ID = keyPair.GetPubKeyG1().GetOperatorID()
-
 	// Make sure config folder exists.
-	err = os.MkdirAll(config.DbPath, os.ModePerm)
+	err := os.MkdirAll(config.DbPath, os.ModePerm)
 	if err != nil {
 		return nil, fmt.Errorf("could not create db directory at %s: %w", config.DbPath, err)
 	}
@@ -168,14 +161,33 @@ func NewNode(reg *prometheus.Registry, config *Config, pubIPProvider pubip.Provi
 		"quorumIDs", fmt.Sprint(config.QuorumIDList), "registerNodeAtStart", config.RegisterNodeAtStart, "pubIPCheckInterval", config.PubIPCheckInterval,
 		"eigenDAServiceManagerAddr", config.EigenDAServiceManagerAddr, "blockStaleMeasure", blockStaleMeasure, "storeDurationBlocks", storeDurationBlocks, "enableGnarkBundleEncoding", config.EnableGnarkBundleEncoding)
 
-	nodeLogger.Info("createing signer client", "url", config.BLSRemoteSignerUrl)
-	conn, err := grpc.NewClient(
-		config.BLSRemoteSignerUrl, grpc.WithTransportCredentials(insecure.NewCredentials()),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create new BLS remote signer client: %w", err)
+	var keyPair *core.KeyPair
+	var blsClient blssignerV1.SignerClient
+	if config.PrivateBls != "" {
+		// Generate BLS keys
+		keyPair, err = core.MakeKeyPairFromString(config.PrivateBls)
+		if err != nil {
+			return nil, err
+		}
+
+		config.ID = keyPair.GetPubKeyG1().GetOperatorID()
+	} else {
+		nodeLogger.Info("creating signer client", "url", config.BLSRemoteSignerUrl)
+		creds := insecure.NewCredentials()
+		if config.BLSSignerTLSCertFilePath != "" {
+			creds, err = credentials.NewClientTLSFromFile(config.BLSSignerTLSCertFilePath, "")
+			if err != nil {
+				return nil, err
+			}
+		}
+		conn, err := grpc.NewClient(
+			config.BLSRemoteSignerUrl, grpc.WithTransportCredentials(creds),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create new BLS remote signer client: %w", err)
+		}
+		blsClient = blssignerV1.NewSignerClient(conn)
 	}
-	blsClient := blssignerV1.NewSignerClient(conn)
 
 	return &Node{
 		Config:                  config,
@@ -194,7 +206,7 @@ func NewNode(reg *prometheus.Registry, config *Config, pubIPProvider pubip.Provi
 	}, nil
 }
 
-// Starts the Node. If the node is not registered, register it on chain, otherwise just
+// Start starts the Node. If the node is not registered, register it on chain, otherwise just
 // update its socket on chain.
 func (n *Node) Start(ctx context.Context) error {
 	if n.Config.EnableMetrics {