Date
1 - 5 of 5
How to add an intermediate CA with Fabric CA and docker #fabric-ca #docker
|
famar
Hello everyone, I'm trying to implement a test fabric network by setting 1 TLS-CA, 1 ROOT-CA, 1 ORG, 1 Orderer and 1 Intermediate CA.
I'm having some trouble implementing intermediate CA with docker. Questa è la sezione del file docker-compose.yaml relativa all'intermediate CA: ica-org0:
container_name: ica-org0
image: hyperledger/fabric-ca:latest
command: sh -c 'fabric-ca-server start -d -b icaadmin:icaadminpw --port 7054'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org2
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_CSR_CN=
- FABRIC_CA_SERVER_CSR_CA_PATHLENGTH=0
- FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_CANAME=rca-org0
- FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_URL=https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053
- FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_PROFILE=ca
- FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/tmp/hyperledger/ca-tls/ca/crypto/ca-cert.pem
- FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=127.0.0.1:9444
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/ica-org0/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7054:7054
I am having trouble registering identities and moving through certificates. Would you know what steps to follow to enter an intermediate CA? Thank you
|
|
|
|
Kavin Arumugam
Hi Famar,
Thanks & Regards Kavin Arumugam On Tue, Mar 1, 2022 at 4:07 PM famar <fabrizio.marangio@...> wrote: Hello everyone, I'm trying to implement a test fabric network by setting 1 TLS-CA, 1 ROOT-CA, 1 ORG, 1 Orderer and 1 Intermediate CA.
|
|
|
|
famar
Hi Kavin, I have already read the documentation and when I try to manually set the configuration files I have no problem. The problems arise when I start using docker-compose. First of all in the documentation it is indicated to copy the TLS CA ca-cert.pem file in the organization folder. But if I effect the enrollment of the admin of my organization in this way: export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053 then indicating as TLS certificate the one contained in the TLS CA folder I get this error: "Post "https://0.0.0.0:7053/enroll": x509: certificate signed by unknown authority". If instead I don't use the file in the TLS CA folder but the one in the organization folder: export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem The enrollment is successful but I can't understand why, since in the documentation it is indicated to use the one present in the TLS CA folder. This problem affects the whole flow, preventing me from understanding how to set an intermediate CA. From the documentation I think I have more or less understood how to set the section of the docker-compose.yaml but I can not understand how to manage the certification files.
Il giorno gio 3 mar 2022 alle ore 03:46 Kavin Arumugam <a.kavin24@...> ha scritto:
|
|
|
|
famar
Hello, I have been making changes to the docker file attempting to replicate what is done here https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html using docker compose. I refer to this link because it is the only one that gives information about intermediate CAs. I first initialize my TLS CA with this docker configuration:
After that I create a folder where to save the certificates to link then to a volume and save the ca-cert.pem of the TLSCA in this folder:
At this point I carry out the enrollment of the admin of the tls ca and the registration of the admin of the rca-org0 and the intermediate ca:
after that i enroll the two admins:
Then i create a sub folder in the certificates folder to store the cert.pem and the key just created for rca-org0 admin:
Now I launch the command docker-compose up rca-org0 to start my root CA. This is the docker configuration:
But i have this error: Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[103 71 48 157 205 189 109 100 50 86 145 54 249 131 248 89 73 236 75 182 14 211 37 24 30 245 244 121 174 167 139 188]]: Key with SKI 6747309dcdbd6d6432569136f983f85949ec4bb60ed325181ef5f479aea78bbc not found in /tmp/hyperledger/fabric-ca/crypto/msp/keystore. Someone can help me to solve this problem? Thanks
|
|
|
|
famar
Hi Kavin, From what I can see, you commented out the docker configuration files, going to directly edit the server configuration files. This way it actually works but what I was trying to do was to use docker compose to set the configuration. At the moment I was able to start root CA but I am having problems with intermediate. To avoid putting all the commands here, I refer to the link of a question I asked about it on stackoverflow https://stackoverflow.com/questions/71427636/error-during-creation-of-an-hyperledger-fabric-intermediate-ca-with-docker-compo If you could take a look at it, I'd appreciate it. Thank you. Regards, Fabrizio Marangio
Il giorno lun 14 mar 2022 alle ore 04:05 Kavin Arumugam <a.kavin24@...> ha scritto:
|
|
|