You brought out something really interesting.
As you may have noticed both
registerUser.js are taken from Fabcar, Fabcar has been updated after 1.4.2. Therefore let’s refer to the
You are right that the enrollment in
registerUser.js is through using gateway, which is through admin (registrar). There is another way to get enrollment without admin (registrar) involvement.
Take a look on the
enrollAdmin.js. Inside you can see the const
ca is obtained from static information on connection profile (ca url, ca tls certs and ca name). Then you can call
ca.enroll directly with the enrollmentID (e.g. user2) and the secret obtained.
The secret is still obtained from the registrar. That makes sense, as the registrar needs to register the user2 first). After the registrar receives the secret, the secret is sent to user2 (by email). Then user2 can use
ca.enroll directly to obtain the certificate as well as the signing (private) key. This doesn’t require involvement from registrar, so the privacy is maintained.
I just tried it and it works fine. I guess the way in
registerUser.js is just for demo purpose. In fact user2 can get his own certificate and privacy by direct enrollment, without registrar helps.
That’s my first finding. I will do some more test and see whether I can come up a more realistic flow.