#fabric Certificates and Keys generation and sharing #fabric


Jean-Gaël Dominé <jgdomine@...>
 

Hi all,

I would like to expose some ideas to have your feelings and ideas about the generation and sharing of the artifacts because I'm not sure about which path to take.
In my network (deployed in Kubernetes) I have a batch that generates all the certificates and keys (TLS included) of the admins, peers, orderers, genesis block, ... by connecting to the CA using fabric-ca-client.
Then I export all these artifacts as secrets in K8S so that the components have access to them.
This works fine but it does not look like production mode to me.

So I was trying to think of how this process would be handled in production. Here are some ideas:

1) Peers and orderers enroll themselves at startup:
  • by installing fabric-ca-client on them so that they can register and enroll to the CA
  • by exposing some endpoints on an API using the SDK that they would call
This would work if we add peers and orderers to the existing the organizations as normally the root certificates are already present in the genesis block and thus known by everybody.
But an issue I foresee is the management in case the component restarts, we must avoid going through the registration/enrollment again since it was already done. How can this be achieved?
Also the LCM of the certificates could be an issue

Besides this would become more complex to add a new organization.
In case a new organization is added, I don't see how to automate it since the system channel configuration must be updated...

So if anyone has a better idea on how to handle this part of Fabric, I'd be happy to learn about it :)

Thanks

JG

Join fabric@lists.hyperledger.org to automatically receive all group messages.