1. Fabric
  2. Messages

Re: How to add an intermediate CA with Fabric CA and docker #fabric-ca #docker

famar
 

Hi Kavin,
From what I can see, you commented out the docker configuration files, going to directly edit the server configuration files. 
This way it actually works but what I was trying to do was to use docker compose to set the configuration. 
At the moment I was able to start root CA but I am having problems with intermediate. 
To avoid putting all the commands here, I refer to the link of a question I asked about it on stackoverflow https://stackoverflow.com/questions/71427636/error-during-creation-of-an-hyperledger-fabric-intermediate-ca-with-docker-compo

If you could take a look at it, I'd appreciate it.
Thank you.

Regards,
Fabrizio Marangio

Il giorno lun 14 mar 2022 alle ore 04:05 Kavin Arumugam <a.kavin24@...> ha scritto:
Hi Fabrizio,

I will suggest you have a look at the attached files. It worked for me.


Thanks & Regards
Kavin Arumugam


On Thu, Mar 10, 2022 at 4:26 PM Fabrizio Marangio <fabrizio.marangio@...> wrote:
Hello, I have been making changes to the docker file attempting to replicate what is done here https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html using docker compose.
I refer to this link because it is the only one that gives information about intermediate CAs.
I first initialize my TLS CA with this docker configuration:

version: '2'

networks:
  fabric-ca:

services:
  ca-tls:
    container_name: ca-tls
    image: hyperledger/fabric-ca:1.5.2
    command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_CA_NAME=tls-ca
        - FABRIC_CA_SERVER_CSR_CN=tls-ca
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_DEBUG=true
    volumes:
        - /tmp/hyperledger/tls-ca:/tmp/hyperledger/fabric-ca
        - /tmp/hyperledger/certificates/:/certificates
    networks:
        - fabric-ca
    ports:
        - 7052:7052

After that I create a folder where to save the certificates to link then to a volume and save the ca-cert.pem of the TLSCA in this folder:

mkdir /tmp/hyperledger/fabric-ca-client/certificates/
cp /tmp/hyperledger/tls-ca/crypto/ca-cert.pem /tmp/hyperledger/certificates/tls-ca-cert.pem

At this point I carry out the enrollment of the admin of the tls ca and the registration of the admin of the rca-org0 and the intermediate ca:

export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/admin
fabric-ca-client register -d --id.name rca-org0-admin --id.secret rca-org0-adminpw -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name ica-admin --id.secret ica-admin-pw -u https://0.0.0.0:7052

after that i enroll the two admins:

export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/org0admin
fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7052 --enrollment.profile tls --csr.hosts '0.0.0.0'
 
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/icaadmin
fabric-ca-client enroll -d -u https://ica-admin:ica-admin-pw@0.0.0.0:7052 --enrollment.profile tls --csr.hosts '0.0.0.0'

Then i create a sub folder in the certificates folder to store the cert.pem and the key just created for rca-org0 admin:

mkdir /tmp/hyperledger/certificates/org0-cert-key
cp /tmp/hyperledger/tls-ca/org0admin/msp/signcerts/cert.pem /tmp/hyperledger/certificates/org0-cert-key/cert.pem
cp /tmp/hyperledger/tls-ca/org0admin/msp/keystore/* /tmp/hyperledger/certificates/org0-cert-key/

Now I launch the command docker-compose up rca-org0 to start my root CA. This is the docker configuration:

rca-org0:
    container_name: rca-org0
    image: hyperledger/fabric-ca:1.5.2
    command: sh -c  'fabric-ca-server start -d -b rca-org0-admin:rca-org0-adminpw --port 7053'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_TLS_CERTFILE=/certificates/org0-cert-key/cert.pem
        - FABRIC_CA_SERVER_TLS_KEYSTORE=/certificates/org0-cert-key/key.pem
        - FABRIC_CA_SERVER_CSR_CN=rca-org0
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_DEBUG=true
        - FABRIC_CA_SERVER_CA_NAME=rca-org0
    volumes:
        - /tmp/hyperledger/org0/ca/:/tmp/hyperledger/fabric-ca
        - /tmp/hyperledger/certificates/:/certificates
    networks:
        - fabric-ca
    ports:
        - 7053:7053
 
But i have this error:

Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[103 71 48 157 205 189 109 100 50 86 145 54 249 131 248 89 73 236 75 182 14 211 37 24 30 245 244 121 174 167 139 188]]: Key with SKI 6747309dcdbd6d6432569136f983f85949ec4bb60ed325181ef5f479aea78bbc not found in /tmp/hyperledger/fabric-ca/crypto/msp/keystore.

Someone can help me to solve this problem? Thanks

Join {fabric@lists.hyperledger.org to automatically receive all group messages.