Jean-Gaël Dominé <jgdomine@...>
After a lot of struggle, I managed to progress without using a multi-root CA. My issue was that neither the Common Name nor the SAN of my certificates matched the name of the component it was associated to.
My workaround was to overwrite the SAN using the --csr.hosts option of the fabric-ca-client command.
I still have an issue though that prevents the orderer and peers to communicate (I get many tls handshake errors). To me, it seems that the problem is coming from the tlsca certificate I get back from the enrollment process.
For instance, when looking at a peer tlsca certificate obtained using cryptogen, here is what it contains:
And when I take a look at the one obtained using the CA client, I see the root CA...
NB: by tlsca certificate, I mean the file located in the tlsca sub-folder of the tls folder
Does somebody have an idea why it does that and how to solve this?