Re: How to add an intermediate CA with Fabric CA and docker #fabric-ca #docker


famar
 

Hi Kavin, I have already read the documentation and when I try to manually set the configuration files I have no problem. The problems arise when I start using docker-compose.
First of all in the documentation it is indicated to copy the TLS CA ca-cert.pem file in the organization folder.
But if I effect the enrollment of the admin of my organization in this way:

export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem
fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053

then indicating as TLS certificate the one contained in the TLS CA folder I get this error:

"Post "https://0.0.0.0:7053/enroll": x509: certificate signed by unknown authority".

If instead I don't use the file in the TLS CA folder but the one in the organization folder:

export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem

The enrollment is successful but I can't understand why, since in the documentation it is indicated to use the one present in the TLS CA folder.

This problem affects the whole flow, preventing me from understanding how to set an intermediate CA. From the documentation I think I have more or less understood how to set the section of the docker-compose.yaml but I can not understand how to manage the certification files.


Il giorno gio 3 mar 2022 alle ore 03:46 Kavin Arumugam <a.kavin24@...> ha scritto:
Hi Famar,

If you are exploring for the first time, I would suggest you to go with Fabric CA Binaries based Deployment by referring to the following link.
If you are comfortable with the above ones, then go ahead for docker based Deployment.

Thanks & Regards
Kavin Arumugam

On Tue, Mar 1, 2022 at 4:07 PM famar <fabrizio.marangio@...> wrote:
Hello everyone, I'm trying to implement a test fabric network by setting 1 TLS-CA, 1 ROOT-CA, 1 ORG, 1 Orderer and 1 Intermediate CA.
I'm having some trouble implementing intermediate CA with docker.
Questa è la sezione del file docker-compose.yaml relativa all'intermediate CA:
 
  ica-org0:
    container_name: ica-org0
    image: hyperledger/fabric-ca:latest
    command: sh -c 'fabric-ca-server start -d -b icaadmin:icaadminpw --port 7054'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_CSR_CN=rca-org2
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_CSR_CN=
        - FABRIC_CA_SERVER_CSR_CA_PATHLENGTH=0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_CANAME=rca-org0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_URL=https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_PROFILE=ca
        - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/tmp/hyperledger/ca-tls/ca/crypto/ca-cert.pem
        - FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=127.0.0.1:9444
        - FABRIC_CA_SERVER_DEBUG=true
    volumes:
        - /tmp/hyperledger/ica-org0/ca:/tmp/hyperledger/fabric-ca
    networks:
        - fabric-ca
    ports:
        - 7054:7054

I am having trouble registering identities and moving through certificates. Would you know what steps to follow to enter an intermediate CA? Thank you

Join fabric@lists.hyperledger.org to automatically receive all group messages.