Re: Confusions in Fabric-CA operational guide

Joe Alewine <joe.alewine@...>

Hey, Abhijeet.
A peer registers and enrolls with both an "enrollment" CA and with a TLS CA. This is because a peer has to both sign its communications (using a cert from an enrollment CA) and secure the communications it makes through a TLS handshake (using certificates from a TLS CA). 
An analogy might help here. In the Middle Ages in Europe, it was common for a king of some country or another to send communications that were sealed with his (or hers) private seal and also have this communication carried by a trusted courier. The seal in case would be the method the regent used to literally stamp their communications and is therefore analogous to the public/private key pair issued by an enrollment CA. While the message itself being delivered by a trusted courier would be analogous to the TLS certificate.
In other words, both the message itself and the way the message is delivered are secured.  
For more information, I suggest reading the Fabric CA deployment guide:
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine

----- Original message -----
From: "Abhijeet Bhowmik" <abhijeet@...>
Sent by: fabric@...
To: fabric@...
Subject: [EXTERNAL] [Hyperledger Fabric] Confusions in Fabric-CA operational guide
Date: Thu, Jul 16, 2020 11:35 PM
Studying Fabric-CA operational guide, there are two certificates mainly present in the ca's crypto folder, ca-cert.pem and tls-cert.pem. There is no mention of what tls-cert.pem is supposed to be. While running fabric-ca-client register commands targeting TLS CA server , we used TLS CA's ca-cert.pem and while registering peer and admin to Org's CA server, Org CA's ca-cert.pem is used. I have developed a notion that we tell fabric-ca-client to trust only a CA server whose signature while TLSing matches the criteria as per ca-cert.pem. Am I right in thinking this? And also what certificate should I use as trustedRoots while making a connection with FabricCA via Fabric CA client SDK. Please excuse if my questions are naive. I am still a novice.
Thanks a lot
Abhijeet Bhowmik

Join { to automatically receive all group messages.