Key usage in Hyperledger Fabric node TLS Certificates #fabric-ca #ssl #tls


chintanr97@...
 

I am generating certificates in Hyperledger Fabric using the Fabric CA. I am passing a self-signed certificate as the root certificate for both enrollment and TLS certificate issuance in HLF. It is for testing purpose and so same Fabric CA (single root certificate) is used to issue enrollment and TLS certificates. The root certificate has following `Key Usages`:
 
    X509v3 Key Usage: critical
    Digital Signature, Certificate Sign, CRL Sign
    X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
 
In the node enrollment certificate, I have following `Key Usages`:
 
    X509v3 Key Usage: critical
        Digital Signature
 
Now, for TLS certificate I run the `fabric-ca-client enroll` command and pass `--enrollment.profile tls` as one the arguments to the call. When I decode the node TLS PEM certificate, I get the following `Key Usages`: 
 
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment, Key Agreement
    X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication 
 
Now, I was referring one RFC here to identify the **Elliptic Curve Cryptography Subject Public Key Information**. In section-3, I read that `Key Encipherment` is not valid key usage extension for elliptic curve certificates. Through some more research, I also found that, `Key Encipherment` is used for symmetric key encryption (please correct me if I am wrong). 
 
Now, my questions are:
 
 1. Why is Fabric CA adding `Key Encipherment` as a key usage in the node TLS certificate if it is not according to the ECC RFC standards?
 2. How does actually TLS communication happen in case of elliptic curve certificates and keys?

Join fabric@lists.hyperledger.org to automatically receive all group messages.