Re: Generate TLS certificates using CA and not cryptogen #fabric #fabric-ca #fabricca


Nye Liu <nye@...>
 

Please don't put external links in your emails, many of us have that blocked

Instead just copy/paste the actual text, which is also preferable to screen shots.

Thanks!

On 9/11/2019 4:53 AM, Jean-Gaël Dominé wrote:
After a lot of struggle, I managed to progress without using a multi-root CA. My issue was that neither the Common Name nor the SAN of my certificates matched the name of the component it was associated to.

My workaround was to overwrite the SAN using the --csr.hosts option of the fabric-ca-client command.

I still have an issue though that prevents the orderer and peers to communicate (I get many tls handshake errors). To me, it seems that the problem is coming from the tlsca certificate I get back from the enrollment process.

For instance, when looking at a peer tlsca certificate obtained using cryptogen, here is what it contains:



And when I take a look at the one obtained using the CA client, I see the root CA...



NB: by tlsca certificate, I mean the file located in the tlsca sub-folder of the tls folder



Does somebody have an idea why it does that and how to solve this?

Thank you

Join fabric@lists.hyperledger.org to automatically receive all group messages.