Fabric CA is the certificate authority in Fabric

The features it provides are:

  • Identity registration, or connect to LDAP as user registration
  • Issue of certificate of Registration
  • Renewal and revocation of certificates

The Hyperlowger Fabric CA consists of server and client components, as described later in this document.

1. An overview

The following diagram illustrates how the Fabric CA Server functions in the Fabric architecture

There are two ways to interact with the Fabric Server: the Fabric CA Client is the client, and the Fabric SDK. The swagger document of the interface can be viewed via fabric-ca/ Swagger/Swagger-fabric-ca. json.

All Fabric CA servers in a cluster share the same database to track identity and certificates. If LDAP is enabled, identity information is kept on LDAP rather than in the database.

A server may contain multiple CA authorities, each CA being either a root CA or an intermediate CA. Each intermediate CA has a parent CA, which is either a root CA or an intermediate CA

A Fabric CA Server is started locally

fabric-ca-server start -b admin:adminpw

Fabric CA provides three ways to configure and set up a Fabric CA client server. The priorities are:

  • 1. Command line options
  • 2. Environment variables
  • 3. Configuration file

In the rest of this document, we refer to changing configuration files. However, configuration file changes can be overridden by environment variables or CLI flags.

Fabric CA Server

You can initialize the Fabric CA server before you start. This gives you an opportunity to generate default configuration files for you that can be reviewed and customized before starting the server.

The Fabric CA Server home directory is as follows:

  • If the -home command line option is set, use its value
  • Otherwise, if the fabric_CA_SERVER_HOME environment variable is set, use its value
  • Otherwise, if you set the Fabric_CA_HOME environment variable, use its value
  • Otherwise, if you set the CA_CFG_PATH environment variable, use its value
  • Otherwise, use the current working directory

For the rest of this server section, we assume that you have set FABRIC_CA_HOME to $HOME/fabric-ca/server.

The following instructions assume that the server configuration file exists in the server’s home directory.

Initializing the server

fabric-ca-server init -b admin:adminpw
Copy the code

Starting the Fabric CA Server requires at least one boot identity. This identity is the server administrator.

The server configuration file contains the certificate Signing Request (CSR) section that can be configured. Here is an example CSR.

cn: fabric-ca-server
names:
   - C: US
     ST: "North Carolina"
     L:
     O: Hyperledger
     OU: Fabric
hosts:
  - host1.example.com
  - localhost
ca:
   expiry: 131400h
   pathlength: 1
Copy the code

All of the fields above belong to x.509 signed keys and certificates and are generated by the command fabric-ca-server init. This corresponds to the ca.certfile and ca.keyfile files in the server configuration file. These fields are as follows:

  • CN is a common name
  • O is the organization name
  • An OU is an organizational unit
  • L is for location or city
  • ST is the national
  • C is a country

If you need a custom value for CSR, you can customize the configuration file, delete the files specified by the ca.certfile and ca.keyfile configuration items, and then run the fabric-ca-server init -b admin: adminPW command again.

The fabric-ca-server init command will generate a self-signed CA certificate unless you specify the -u < parent-fabric-ca-server-url > option. If you specify the -u option, the CA certificate will be signed by the parent CA Server. To authenticate to the parent Fabric CA server, The URL form must be

://

:

@

: , where

and

corresponding to the identity hf.IntermediateCA attribute value set to true. The fabric-ca-server init command will also generate a default configuration file named fabric-ca-server-config.yaml in the server home directory.


If you want the Fabric CA Server to use the CA-signed certificate and key file that you provide, you must place the file in the location referenced by ca.certfile and ca.keyfile. Both files must be PEM encoded and not encrypted. More specifically, The CA CERTIFICATE file must be in the format of —–BEGIN CERTIFICATE—–, and the key file must be in the format of —–BEGIN PRIVATE key —– -, not —–BEGIN ENCRYPTED PRIVATE KEY—–

You can customize the CSR to generate X.509 certificates and keys that support elliptic Curves (ECDSA). The following Settings are examples of an implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) with curve Prime256V1 and signature algorithm ECdSA-with-SHA256

key:
   algo: ecdsa
   size: 256
Copy the code

The choice of algorithm and key size is based on security requirements.

Start the server

fabric-ca-server start -b <admin>:<adminpw>
Copy the code

If the server has not been initialized previously, it will be initialized on the first startup. During this initialization, the server generates ca-cert. pem and ca-key. pem files if they do not already exist, and creates a default configuration file if they do not already exist.

To have the CA server listen for HTTPS instead of HTTP, set tls.enabled to true.

Limit the number of times the same secret (or password) can be used for registration by setting the registry.maxenrollments message to the appropriate value. If the value is set to 1, the Fabric CA Server allows the password for a particular registration ID to be used only once. If the value is set to -1, Fabric CA Server does not limit the number of times a secret registry can be reused. The default value is -1. Set the value to 0 and the Fabric CA Server disables registration of all identities and does not allow registration of identities.

The Fabric CA server should now listen on port 7054.

By default, fabric-CA Server consists of a single default CA. However, additional cas can be added to a single server using cafiles or cacount configuration options. Each additional CA has its own home directory

fabric-ca-server start -b admin:adminpw --cacount 2
Copy the code

Fabric CA client

The Fabric CA client home directory is as follows:

  • If the -home command line option is set, use its value
  • Otherwise, if you set the fabric_CA_CLIENT_HOME environment variable, use its value
  • Otherwise, if the Fabric_ca_home environment variable is set, use its value
  • Otherwise, if you set the CA_CFG_PATH environment variable, use its value
  • Otherwise, use $home /. Fabric-ca-client

The following instructions assume that the client configuration file exists in the client’s home directory.

Register guide identity

This step is too important to skip or you’ll end up registering for other information

➜./fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org2.department1 --id.secret peer2pw 2021/11/29 15:16:30 [INFO] Configuration file location: /Users/xxx/workspace/zjwfa/fabric-ca-client/clients/admin/fabric-ca-client-config.yaml 2021/11/29 15:16:30 [ERROR] Enrollment check failed: Idemix enrollment information does not exist Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPortCopy the code

First, customize the CSR (Certificate Signing Request) section in the client configuration file if necessary. Note that the Csr. CN field must be set to the ID of the boot identifier. The default CSR values are as follows:

csr:
  cn: <<enrollment ID>>
  key:
    algo: ecdsa
    size: 256
  names:
    - C: US
      ST: North Carolina
      L:
      O: Hyperledger Fabric
      OU: Fabric CA
  hosts:
   - <<hostname of the fabric-ca-client>>
  ca:
    pathlen:
    pathlenzero:
    expiry:
Copy the code

After that, run the fabric-ca-client enroll command to register the identity. For example, the following command registers its ID Admin and Password by calling AdminPW of the Fabric CA Server running locally on port 7054.

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
Copy the code

The registry command stores the registry certificate, associated private key, and CA certificate chain PEM files in the MSP directory of the Fabric CA client directory. You can see the location of the PEM file through the message

Register a new identity

The example is to register a peer identity.

fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw
Copy the code

Note that the — ID. Affiliation specifies a value that must exist in the CA server configuration file, otherwise an error will be reported

fabric-ca-client register --id.name peer4 --id.type peer --id.affiliation org6.department1 --id.secret peer4pw

2021/11/29 15:31:42 [INFO] Configuration file location: /Users/zhaojunwei/workspace/zjwfa/fabric-ca-client/clients/admin/fabric-ca-client-config.yaml

Error: Response from server: Error Code: 71 - Authorization failure

Copy the code

This is because there are only the following organizations and departments in our CA Server configuration file

affiliations:

   org1:

      - department1

      - department2

   org2:

      - department1
Copy the code

Register a peer identity

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp
Copy the code

Register again

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client reenroll
Copy the code

Revoke a certificate or identity

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client revoke -e peer1
Copy the code