Confusions in Fabric-CA operational guide


Abhijeet Bhowmik <abhijeet@...>
 

Hello,

Studying Fabric-CA operational guide, there are two certificates mainly present in the ca's crypto folder, ca-cert.pem and tls-cert.pem. There is no mention of what tls-cert.pem is supposed to be. While running fabric-ca-client register commands targeting TLS CA server , we used TLS CA's ca-cert.pem and while registering peer and admin to Org's CA server, Org CA's ca-cert.pem is used. I have developed a notion that we tell fabric-ca-client to trust only a CA server whose signature while TLSing matches the criteria as per ca-cert.pem. Am I right in thinking this? And also what certificate should I use as trustedRoots while making a connection with FabricCA via Fabric CA client SDK. Please excuse if my questions are naive. I am still a novice.

Thanks a lot
Abhijeet Bhowmik


Joe Alewine <joe.alewine@...>
 

Hey, Abhijeet.
 
A peer registers and enrolls with both an "enrollment" CA and with a TLS CA. This is because a peer has to both sign its communications (using a cert from an enrollment CA) and secure the communications it makes through a TLS handshake (using certificates from a TLS CA). 
 
An analogy might help here. In the Middle Ages in Europe, it was common for a king of some country or another to send communications that were sealed with his (or hers) private seal and also have this communication carried by a trusted courier. The seal in case would be the method the regent used to literally stamp their communications and is therefore analogous to the public/private key pair issued by an enrollment CA. While the message itself being delivered by a trusted courier would be analogous to the TLS certificate.
 
In other words, both the message itself and the way the message is delivered are secured.  
 
For more information, I suggest reading the Fabric CA deployment guide: https://hyperledger-fabric-ca.readthedocs.io/en/master/deployguide/ca-deploy.html
 
Regards,
 
Joe Alewine
IBM Blockchain, Raleigh
 
rocket chat: joe-alewine
slack: joe.alewine
 
 
 

----- Original message -----
From: "Abhijeet Bhowmik" <abhijeet@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] Confusions in Fabric-CA operational guide
Date: Thu, Jul 16, 2020 11:35 PM
 
Hello,
 
Studying Fabric-CA operational guide, there are two certificates mainly present in the ca's crypto folder, ca-cert.pem and tls-cert.pem. There is no mention of what tls-cert.pem is supposed to be. While running fabric-ca-client register commands targeting TLS CA server , we used TLS CA's ca-cert.pem and while registering peer and admin to Org's CA server, Org CA's ca-cert.pem is used. I have developed a notion that we tell fabric-ca-client to trust only a CA server whose signature while TLSing matches the criteria as per ca-cert.pem. Am I right in thinking this? And also what certificate should I use as trustedRoots while making a connection with FabricCA via Fabric CA client SDK. Please excuse if my questions are naive. I am still a novice.
 
Thanks a lot
Abhijeet Bhowmik