Re: Revoke User certificate

Roger <roger_sherwood@...>

Hi Nye,
    In addition to the peer's local MSP  the revoked certificate list exists in the configuration block of each of the channels, under the MSP section.    Depending on where the peer is checking you may need to update this as well using the configtxlator.
I don't think I can remember the definitive list of when the peer checks the local MSP config and not the channel configuration so I hope one of the developers can chip in on this subject.

Note the revocation works with the signing certificates but not with the TLS certs.

                       Thanks Roger

IBM Global Business Services

From:        "Adhav Pavan" <adhavpavan@...>
To:        Nye Liu <nye@...>
Cc:        Hojjat Jashnniloofar <h.niloofar@...>, hyperledger-fabric <hyperledger-fabric@...>
Date:        01/01/2020 14:23
Subject:        [EXTERNAL] Re: [Hyperledger Fabric] Revoke User certificate
Sent by:        fabric@...

Hello Nye,

I think we have to place CRL(generated by ca) in the MSP folder and not inside peer.

MSP Structure:


Description for same: 

Revoked Certificates: If the identity of an actor has been revoked, identifying information about the identity — not the identity itself — is held in this folder. For X.509-based identities, these identifiers are pairs of strings known as Subject Key Identifier (SKI) and Authority Access Identifier (AKI) and are checked whenever the X.509 certificate is being used to make sure the certificate has not been revoked.

This list is conceptually the same as a CA’s Certificate Revocation List (CRL), but it also relates to the revocation of membership from the organization. As a result, the administrator of an MSP, local or channel, can quickly revoke an actor or node from an organization by advertising the updated CRL of the CA the revoked certificate as issued by. This “list of lists” is optional. It will only become populated as certificates are revoked.

Please correct me if I am wrong.

Thank you.
Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:
+91-8390114357  E-Mail: adhavpavan@...

On Wed, Jan 1, 2020 at 3:49 AM Nye Liu <nye@...> wrote:
You have to update each applicable channel configuration with the new crls. The peer/orderer MSP would then be checked to make sure the entity making the channel configuration update has permission to do so (depending on whether the update is to an orderer system channel or an application channel). This is my understanding but I could be very wrong.

On Tue, Dec 31, 2019, 9:02 AM Hojjat Jashnniloofar <h.niloofar@...> wrote:
We are a team worked KYC solution on heyperledger fabric for last 2 years. We register each user and enroll certificate for each user and install keyPairs on user mobiles. In case of lost or theft, we want to revoke user certificate and reenroll them. We find sdk functions for revoke and reenroll but we want to ban old certificates to access the chaincode methods. We can generate ca crl but we don't know where we must place this CRLs or how to enforce peers to check certificate status before submit or evaluate transaction. 

We place this CRL (generated by ca) on peer in this path:
but still user can submit transaction by revoked certificate.

anyone can help us in this case? 

Best Regards
Hojjat Jashnniloofar

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Join to automatically receive all group messages.