Re: Alternative of cryptogen for Prod


Hakan Eryargi
 

Hi Jean-Gaël and Joe,

This is not my understanding.

1. Fabric doesnt care about if root certificate is self-signed or not. Root certificate of an organization is encoded in the genesis block, Fabric only cares about it.
2. CA doesnt create the root certificate, you need feed it the root certificate so it can create other certificates. Peer, user, admin etc.

So either using CA or not, one needs to create the root certificate. IMHO doesnt really matter if self-signed or not. After that, it's a matter of choice use CA or  cryptogen to create other certificates.

Please correct me if i am wrong about above. 

Otherwise I dont see a real issue about using cryptogen in production.

In our flow, we create all the initial certificates with cryptogen, launch the network including CA's, then use CA to register users. Our intention is using the same flow in production too unless someone provides a more convenient tool to create the initial certificates.

Best,
Hakan

On Wed, Nov 6, 2019 at 2:36 PM Joe Alewine <joe.alewine@...> wrote:
Hakan,
 
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
 
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
 
Regards,
 
Joe Alewine
IBM Blockchain, Raleigh
 
rocket chat: joe-alewine
slack: joe.alewine
 
 
 
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
 
Hi,
 
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.  

I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.  

So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen . 

It will also be nice if cryptogen is even more developed to cover other needs too :) 

Best,

Hakan
 
On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik <abhijeet@...> wrote:
Hey,
 
Thanks to all for the help. I am extremely grateful to everyone.
 
Abhijeet Bhowmik
 
On Mon, Nov 4, 2019 at 9:51 PM Joe Alewine <joe.alewine@...> wrote:
Abhijeet,
 
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
 
Consult the Fabric CA User's Guide for more information: https://hyperledger-fabric-ca.readthedocs.io/en/latest/
 
Regards,
 
Joe Alewine
IBM Blockchain, Raleigh
 
rocket chat: joe-alewine
slack: joe.alewine
 
 
 
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
 

It is described in the Operations Guide.

On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
 
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
 
Thanks and Regards
Abhijeet Bhowmik
 
On Sun, Nov 3, 2019 at 10:44 AM Mrudav Shukla <mrudavshukla@...> wrote:
Hi Abhijeet,
 
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav 
 
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik <abhijeet@...> wrote:
Greetings Everyone,
 
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
 
 
Thanks and Regards
Abhijeet Bhowmik
 
 

 

 

 

 

 

Join fabric@lists.hyperledger.org to automatically receive all group messages.