Two Typical Setups of Fabric CA Server: using a Self-Generated Root CA or a given Intermediate CA

Introduction

Quick Introduction to Fabric CA Server

Overview

Possible Setups of Fabric CA Server

Three possible setups when using Fabric CA Server as CA

Chain of Certificates in Fabric CA Server

Chain of certificates: with zero or a number of ICAs, up to an RCA

Demonstration

1. Observing Test Network

cd test-network
./network.sh up -ca
docker exec -it ca_org1 bash
cd /etc/hyperledger/fabric-ca-server
ls -l
Inside ca_org1 container (Fabric CA Server)
Subject and issuer of the two certificates in ca_org1
All certificates are issued by Root CA
./network.sh up createChannel
./network.sh up deployCC
./network.sh down
sudo rm -r organizations/fabric-ca/ordererOrg/msp
sudo rm -r organizations/fabric-ca/org1/msp
sudo rm -r organizations/fabric-ca/org2/msp

2. Prepare Intermediate Certificate Authority (ICA) for Org1

cd /tmp
mkdir gen-ica
cd gen-ica
touch index.txt serialecho 1000 > serial
echo 1000 > crlnumber
openssl ecparam -name prime256v1 -genkey -noout -out rca.keyopenssl req -config ca.cnf -new -x509 -sha256 -extensions v3_ca -key rca.key -out rca.cert -days 3650 -subj "/C=US/ST=North Carolina/L=Durham/O=org1.example.com/CN=ca.org1.example.com"
openssl ecparam -name prime256v1 -genkey -noout -out ica.keyopenssl req -new -sha256 -key ica.key -out ica.csr -subj "/C=US/ST=North Carolina/L=Durham/O=org1.example.com/CN=ica.org1.example.com"openssl ca -batch -config ca.cnf -extensions v3_intermediate_ca -days 365 -notext -md sha256 -in ica.csr -out ica.cert
cat ica.cert rca.cert > chain.cert

3. Create a New Test Network with ICA for Org1

cd fabric-samples
cp -r test-network test-network-ica
cd test-network-ica
cp /tmp/gen-ca/ica.key organizations/fabric-ca/org1/
cp /tmp/gen-ca/ica.cert organizations/fabric-ca/org1/
cp /tmp/gen-ca/chain.cert organizations/fabric-ca/org1/
Original configuration in fabric-ca-server-config.yaml
Changing Fabric CA Server to use the ICA
Original script in registerEnroll.sh
Changing the reference to ICA
Original script in registerEnroll.sh
Changing the reference to ICA
cd test-network
./network.sh up -ca
docker exec -it ca_org1 bash
cd /etc/hyperledger/fabric-ca-server
ls -l
All certificates are issued by ICA
./network.sh up createChannel
./network.sh up deployCC
./network.sh down
sudo rm -r organizations/fabric-ca/ordererOrg/msp
sudo rm -r organizations/fabric-ca/org1/msp
sudo rm -r organizations/fabric-ca/org2/msp

Summary

Visit http://www.ledgertech.biz/kcarticles.html for all my works. Reach me on https://www.linkedin.com/in/ktam1/ or follow me @kctheservant in Twitter.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store