Re: Generate TLS certificates using CA and not cryptogen #fabric #fabric-ca #fabricca

Jean-Gaël Dominé <jgdomine@...>

After a lot of struggle, I managed to progress without using a multi-root CA. My issue was that neither the Common Name nor the SAN of my certificates matched the name of the component it was associated to.

My workaround was to overwrite the SAN using the --csr.hosts option of the fabric-ca-client command.

I still have an issue though that prevents the orderer and peers to communicate (I get many tls handshake errors). To me, it seems that the problem is coming from the tlsca certificate I get back from the enrollment process.

For instance, when looking at a peer tlsca certificate obtained using cryptogen, here is what it contains:

And when I take a look at the one obtained using the CA client, I see the root CA...

NB: by tlsca certificate, I mean the file located in the tlsca sub-folder of the tls folder

Does somebody have an idea why it does that and how to solve this?

Thank you

Join to automatically receive all group messages.