Use certificates from a non-Fabric CA with your Fabric network #signcerts #interoperability #fabric-ca #x509


Hello Community, 


I'm working on a use case where I need to use certificates, which bind resources to identities, that have been already issued by an Authoritative CA with the Fabric Network I'm developing which is dealing with the same resources bound in the certificates. 


Reading the docs: 

I see that yes it is possible, but I cannot figure out How. 

There are several articles about how "to link" a third party or external CA to a HF CA, but I guess this is not the use case. Actually, instead of linking the Authoritative CA to a HF CA I would like just to use the certificates emitted by the Authoritative CA into my network.

Basically, I want to bind the existing authorization model to my HF network.  


So let's imagine a scenario: 


user with (certificate, private_key) externally emitted --> Fabric CA --> User credential for the Fabric Network

where the fabric CA can verify, using a trust anchor, the validity of the certificate provided by the user and upon successfull verification, emit the user credential for the fabric network.


Has such a solution already been implemented?  

Any advise, different solution or pointer to docs I can read about? 


Thanks to All, 

Stefano Angieri 




Gari Singh

People have used directly used certificates that were not issued by a Fabric CA as credentials within a Fabric network.

Luckily, there's really no magic here.  You will need to set up the membership service provider (MSP) for your organization using the crypto material from the 3rd party CA.
The structure of an MSP is described here:

At a high level, you just need to populate the MSP structure with artifacts from/generated by the 3rd party CA.  You'll minimally need the root/intermediate chain from the authoritative CA and you'll likely at least one issued certificate to populate admins.

Do be aware that if you use one of the public CAs (like the ones trusted by browsers), this can be problematic as MSPs are differentiated by their root/intermediate chain and therefore anyone with a cert issued by one of the public CAs will match an organization with a MSP containing one of the public CAs.


Stephano, you can give EJBCA a try. That can be your authoritatively CA you’re looking for. It is open source and you can easily issue set of certificates (root/intermedite/end ca + user certs) directly from the admin UI page and use it to bootstrap your fabric network.