Proper way of handling singcerts after expiration #openssl #signcerts #x509


Alejo Acosta
 

Hi guys
We have a HLF running on a production environment, and the signcerts certificates are about to expire (both MSP and TLS).
The certificate are issued by our own organizations CA.
I have 2 questions:

1. What is the recommended procedure to replace expired signcerts with new ones on a production environment?
2. In the context of HLF, the TLS certificates can be used as MSP certificates? Or is there any limitation? 

Thank you!!


Tsvetan Georgiev
 

Hi Alejo,

There are multiple aspects to consider when rotating or updating the expired certs (TLS or identity)

"1. What is the recommended procedure to replace expired signcerts with new ones on a production environment?"
You can check how it works for the ordering service here: https://hyperledger-fabric.readthedocs.io/en/release-2.3/raft_configuration.html. Recently there was a new feature implemented to help with the ordering service TLS expired certs: https://jira.hyperledger.org/browse/FAB-18171
Not sure what HLF release you are using. The best is to check what is actually available for each release here: https://github.com/hyperledger/fabric/releases 

The trickiest part is to rotate/update the ordering service expired certs. Make sure to carefully read how it works and what to consider before doing it as a mistake can make your raft ordering service lose quorum. 

The admin, peers and users certs can be updated and replaced at the location where you keep them. For example for each peer you will have to replace the expired certs with the new ones on the file system of the peer, This includes the identity / tls certs of the peer and the cert of the peer admin (unless you use OU admin as in such case there is no need to keep the admin cert on the peer). After you replace them you need to restart the peer.

"2. In the context of HLF, the TLS certificates can be used as MSP certificates? Or is there any limitation?"
I am not aware of limitation however it is recommended to have two separate CAs to handle MSP TLS and MSP identities certs: https://hyperledger-fabric.readthedocs.io/en/release-2.3/deployment_guide_overview.html#step-three-set-up-your-cas
Snippet: "In a production network, it is recommended to deploy at least one CA per organization for enrollment purposes and another for TLS. "

Hope that will help you...

Senofi

Tsvetan Georgiev
Director, Senofi Inc.

438-494-7854 | tsvetan@...

www.senofi.ca

www.consortia.io







---- On Fri, 26 Mar 2021 11:50:40 -0400 Alejo Acosta <alejoacos@...> wrote ----

Hi guys
We have a HLF running on a production environment, and the signcerts certificates are about to expire (both MSP and TLS).
The certificate are issued by our own organizations CA.
I have 2 questions:

1. What is the recommended procedure to replace expired signcerts with new ones on a production environment?
2. In the context of HLF, the TLS certificates can be used as MSP certificates? Or is there any limitation? 

Thank you!!