Fabric CA User's Guide
Certification Authority
The features provided are: identity registration : or connecting to LDAP (Lightweight Directory Access Protocol, Lightweight Directory Access Protocol) as a user registry; issuance of a registration certificate (ecerts) (Enrollment certificates) issuing Transaction certificate (tcerts) (Transaction certificates) : Provides anonymity and is not linked when trading on Hyperledger Fabric blockchain. renewal and revocation of certificates
Fabric CA User's Guide schema file format 1 CA server configuration file 2 CA Client Profile configuration settings Fabric CA server 1 Initialize server 2 start server 3 set up server clusters and use LDAP 31 Setting Up Database 311 PostgreSQL 312 PostgreSQL SSL Configuration 313 mysql server MySQL SSL Configuration basic operational requests for SSL configuration in MySQL servers Client certificate Configuring LDAP 33 set up a cluster 34 set up multiple CAs 341 cacount 342 cafiles A enroll CA Fabric CA Client 1 Intermediate L The bootstrap Identity 2 register a new Identity 3 register and enroll a peer Identity 4 get CA certificate chain 5 from another CA server Reenrol L An IDENTITY 5 revoke a certificate or an identity use TLS and a specific CA contact
1. Structure
There are two ways to interact with FABRIC-CA server:
-FABRIC-CA Client
-Fabric SDK
HA Proxy endpoint: Adjusting flow load Balancing 2. File format 2.1 CA server configuration file
# Server ' s listening port (default:7054) port:7054 # enables debug logging (Default:false) debug:false ################################################################ # TLS section for the server ' s listening Port # the F Ollowing types are supported for client Authentication:noclientcert, # Requestclientcert, Requireanyclientcert, VerifyCl
Ientcertifgiven, # and Requireandverifyclientcert.
# certfiles is a list of root Certificate authorities the server uses # when verifying client certificates. ############################################################################# TLS: # Enable TLS (DEFAULT:FALSE) Enab Led:false # TLS for the server ' s listening Port Certfile:ca-cert.pem Keyfile:ca-key.pem clientauth:type:n Oclientcert certfiles: ############################################################################# # The CA sectio n contains information related to the Certificate Authority # including the name of the CA, which sHould is unique for the all members # of a blockchain network. It also includes the key and certificate files # used when issuing enrollment certificates (Ecerts) and transaction # CE
Rtificates (Tcerts). # The Chainfile (if it exists) contains the certificate chain which # should is trusted for this CA, where the 1st in th
E chain is always the # root CA certificate. ############################################################################# CA: # Name of this CA name: # Key File (DEFAULT:CA-KEY.PEM) KEYFILE:CA-KEY.PEM # certificate file (DEFAULT:CA-CERT.PEM) CERTFILE:CA-CERT.PEM # Chain File (DEFAULT:CHAIN-CERT.PEM) Chainfile:ca-chain.pem ############################################################ ################# # The Registry section controls how the Fabric-ca-server does two things: # 1) Authenticates Enrollmen
T requests which contain a username and password # (also known as an enrollment ID and secret). # 2) Once authenticated, retrieves the IDENtity ' s attributes names and # values which the Fabric-ca-server optionally puts into Tcerts # which it issues for
transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in # Chaincode. # There are two main configuration options: # 1) The Fabric-ca-server is the Registry # 2) A LDAP server is the Regist
Ry, in which case the Fabric-ca-server # calls the LDAP server to perform these tasks. ############################################################################# registry: # Maximum number of times a Password/secret can be reused to enrollment # (default:-1, which means there is no limit) Maxenrollments:-1 # Co
Ntains identity information which is used when the LDAP is disabled identities:-Name: <<<ADMIN>>> Pass: <<<ADMINPW>>> type:client Affiliation: "" Maxenrollments:-1 at TRS:HF. Registrar.roles: "ClienT,user,peer,validator,auditor "HF". Registrar.delegateroles: "Client,user,validator,auditor" HF. Revoker:true HF. Intermediateca:true ############################################################################# # Database
Section # Supported types are: "Sqlite3", "Postgres", and "MySQL".
# The DataSource value depends on the type. # If The type is ' Sqlite3 ', the DataSource value is ' a ' file name to use # as the database store.
Since "Sqlite3" is a embedded database and it # may or not being used if you are want to run the Fabric-ca-server in a cluster.
# to run the ' fabric-ca-server in a ' cluster, you must choose ' postgres ' # or ' MySQL '. ############################################################################# db:type:sqlite3 DataSource: Fabric-ca-server.db tls:enabled:false certfiles:-Db-server-cert.pem Client:certfi Le:db-client-cert.pem Keyfile:db-client-key.pem ############################################################################# # LDAP Section # If LDAP are enabled, the Fabric-ca-server calls LDAP to: # 1) A
Uthenticate enrollment ID and secret (i.e. username and password) # for enrollment requests;
# 2 to retrieve identity attributes ############################################################################# LDAP: # Enables or disables the LDAP client (default:false) Enabled:false # The URL of the LDAP server URL: Ldap://<admindn>:<adminpassword>@
The
Server configuration file consists mainly of the following sections:
-CA: Set CA name, Public private key, certificate and chainfile storage filename
-registry: Set maximum number of duplicate account name passwords, registered account name and password, and other information (type , dependencies, and so on)
-LDAP: There are two registry choices: Sever and LDAP, and if LDAP is enabled, the server invokes LDAP to authorize access to the account name password and retrieve user information.
-DB: Supports three types of databases: "Sqlite3" (built-in database), "Postgres" (cluster), "MySQL" (cluster)
-affiliation: Setting up organizational relationships
-signing:
- Default: For issuing a registration certificate Ecert, set the deadline
-CA profile: For issuing intermediate certificates, setting deadlines, and whether intermediate CAs can issue other intermediate certificates.
-CSR (Certificate signing Request): Controlling the creation of root certificates
-BCCSP: Encryption mode
-Multi CA section: Setting up a server multiple CAs
-cacount: several CA
-CAFILES:CA profile list
-Intermediate: Set up intermediate CA 2.2 CA Client Profile
############################################################################# # Client Configuration ############################################################################# # URL of the Fabric CA Server (default:http://localhost:7054) url:http://localhost:7054 # Membership Service Provider (MSP) directory # when T He client are used to enroll a peer or a orderer, this field must was # set to the MSP directory of the Peer/orderer Mspdir : ############################################################################# # TLS section for Secure socket CONNEC
tion ############################################################################# TLS: # Enable TLS (DEFAULT:FALSE) Enabled:false certfiles:client:certfile:keyfile: ##############################