how certificates get derived from the real fabric-ca-server certificate in hfc-key-store in hyperledger? #fabric #fabricca #fabric-sdk-node


I'd like to explain what I understand correctly first and if I'm right, please tell me the truth and if I'm mistaken, tell me also that I'm mistaken. My explanation is about how hyperledger network and node sdk works together and how node sdk connects to hyperledger network.

Let's start. When I start hyperledger network, what it does is creates fabric-ca-server docker image and container on port 7054. On that port, it registered an user "admin with the password : "adminpwd". Which means there have also been certificates made for this user. Now let's say I want to create a new user from node sdk. I guess what I need to do is to have the certificate for Admin so that I can sign my request and network knows I'm admin and part of the network. What the code does is it firsts writes getUserContext("admin") and if it doesn't find, then it tries to enroll with the username and password (admin and adminpwd). My understanding is that getUserContext goes to hfc-key-store folder and tries to find the certificate for admin. if it doesn't find it, there happens enrolling and then happens createUser function, which puts certificate derived from fabric-ca-server docker image into hfc-key-store, so that when admin tries to enroll again, it doesn't have to go to fabric-ca-server docker image. Am I right so far? I'll ask my questions now.

Questions :

  1. I understand that when trying to enroll, it doesn't fetch the original certificate for admin from fabric-ca-server docker image, because if it gets stolen, whole network gets screwed up. so what It does is derives some kind of public/private and certificate from the original one with what I can make other operations. Question is : what If someone stole my hfc-key-store folder in which there's admins certificates. he can do operations without enrolling,because getUserContext("admin") would return true and it would let it do anything. What if someone steals that folder? isn't it dangerous?

  2. I don't understand what getUserContext() and setUserContext() and what createUser() functions mean at all. PLease if you can do, just describe them in a very understandable language, because It's been a long time since I've been trying to wrap my head around this but with no luck. Why do we need these functions, what they help us with and so on.

  3. Why is cryptogen tool not used in production but fabric-ca-server usable in production?