Two Typical Setups of Fabric CA Server: using a Self-Generated Root CA or a given Intermediate CA

Introduction

Fabric CA Server provides flexibility when bringing up a Certificate Authority (CA). If we are doing testing or just a small setup, we may let the Fabric CA Server generate CA material by itself. In real life we are more likely given an Intermediate CA (ICA) from an existing enterprise CA (which is the Root CA and source of trust). In this case, we are using the given ICA issuing certificate for entities of our organization in the fabric network.

Quick Introduction to Fabric CA Server

Overview

Fabric CA Server is the CA software provided by Hyperledger Fabric. It is important to distinguish a CA from a CA software or tool.

  • a certificate (CA Cert), which is made public. Inside the CA Cert there is the CA’s subject, public key and a signature.

Possible Setups of Fabric CA Server

When we bring up a Fabric CA Server, there are several possible setups.

Three possible setups when using Fabric CA Server as CA

Chain of Certificates in Fabric CA Server

Chain of certificates (setup B and C in diagram above) are shown in the diagram below, with zero or more than one ICAs. Note that both RCA or ICA are CAs, able to issue certificates. Our trust is always back to a Root CA, but using ICA does not reduce the trust level. For example, for the top of the diagram we trust the issued certificates because they are issued by a Root CA. For the others, where ICAs are in the picture, we accept the certificates issued by ICA because we can trace the ICA back to a Root CA. We cannot say which setups are better than others, as in most cases the setup depends on the real business situations.

Chain of certificates: with zero or a number of ICAs, up to an RCA

Demonstration

1. Observing Test Network

The script network.sh provided in Test Network comes with an option -ca, which generates crypto material using Fabric CA Server (the other option is using cryptogen with standard and less flexible use). When this option is selected, three Fabric CA Servers, one for each organization, are being brought up. All crypto material for the whole network is generated directly in these Fabric CA Servers. The original script design Root CAs are generated by each Fabric-CA Server (setup A in the diagram shown above), which means that the CA certificate is a self-signed certificate (subject = issuer). We will make observations over the CA for Org1, and all the material issued by this CA.

cd test-network
./network.sh up -ca
docker exec -it ca_org1 bash
cd /etc/hyperledger/fabric-ca-server
ls -l
Inside ca_org1 container (Fabric CA Server)
Subject and issuer of the two certificates in ca_org1
All certificates are issued by Root CA
./network.sh up createChannel
./network.sh up deployCC
./network.sh down
sudo rm -r organizations/fabric-ca/ordererOrg/msp
sudo rm -r organizations/fabric-ca/org1/msp
sudo rm -r organizations/fabric-ca/org2/msp

2. Prepare Intermediate Certificate Authority (ICA) for Org1

In the previous setup (original Test Network), an RCA is generated in Fabric CA Server, and it issues certificates to the organization entities.

cd /tmp
mkdir gen-ica
cd gen-ica
touch index.txt serialecho 1000 > serial
echo 1000 > crlnumber
  1. generate a self-signed certificate from the private key based on the configuration.
openssl ecparam -name prime256v1 -genkey -noout -out rca.keyopenssl req -config ca.cnf -new -x509 -sha256 -extensions v3_ca -key rca.key -out rca.cert -days 3650 -subj "/C=US/ST=North Carolina/L=Durham/O=org1.example.com/CN=ca.org1.example.com"
  1. generate a CSR based on this ICA with proper information
  2. RCA issues certificate to ICA based on the CSR
openssl ecparam -name prime256v1 -genkey -noout -out ica.keyopenssl req -new -sha256 -key ica.key -out ica.csr -subj "/C=US/ST=North Carolina/L=Durham/O=org1.example.com/CN=ica.org1.example.com"openssl ca -batch -config ca.cnf -extensions v3_intermediate_ca -days 365 -notext -md sha256 -in ica.csr -out ica.cert
cat ica.cert rca.cert > chain.cert
  • ICA certificate: ica.cert
  • Chain of certificate: chain.cert

3. Create a New Test Network with ICA for Org1

To leverage as much as possible on Test Network setup and scripts, we simply copy the whole Test Network into another network, to a directory test-network-ica/. We then modify some parts of configuration in order to use the ICA for Org1.

cd fabric-samples
cp -r test-network test-network-ica
cd test-network-ica
cp /tmp/gen-ca/ica.key organizations/fabric-ca/org1/
cp /tmp/gen-ca/ica.cert organizations/fabric-ca/org1/
cp /tmp/gen-ca/chain.cert organizations/fabric-ca/org1/
Original configuration in fabric-ca-server-config.yaml
Changing Fabric CA Server to use the ICA
  • tlscacerts/tlsintermediatecerts/
Original script in registerEnroll.sh
Changing the reference to ICA
Original script in registerEnroll.sh
Changing the reference to ICA
cd test-network
./network.sh up -ca
docker exec -it ca_org1 bash
cd /etc/hyperledger/fabric-ca-server
ls -l
All certificates are issued by ICA
./network.sh up createChannel
./network.sh up deployCC
./network.sh down
sudo rm -r organizations/fabric-ca/ordererOrg/msp
sudo rm -r organizations/fabric-ca/org1/msp
sudo rm -r organizations/fabric-ca/org2/msp

Summary

In this article we observe the two different setups of Fabric CA Server: one is using an RCA self generated by Fabric CA Server (original Test Network setup), and one is using an ICA generated outside and let the Fabric CA Server issue certificates with this ICA (our modified Test Network setup). The former is good for tests or very small setup, while the latter is more realistic as enterprises may have their own CA infrastructure and we are given an ICA for our fabric network.

Visit http://www.ledgertech.biz/kcarticles.html for all my works. Reach me on https://www.linkedin.com/in/ktam1/ or follow me @kctheservant in Twitter.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store