How to add an intermediate CA with Fabric CA and docker #fabric-ca #docker


famar
 

Hello everyone, I'm trying to implement a test fabric network by setting 1 TLS-CA, 1 ROOT-CA, 1 ORG, 1 Orderer and 1 Intermediate CA.
I'm having some trouble implementing intermediate CA with docker.
Questa è la sezione del file docker-compose.yaml relativa all'intermediate CA:
 
  ica-org0:
    container_name: ica-org0
    image: hyperledger/fabric-ca:latest
    command: sh -c 'fabric-ca-server start -d -b icaadmin:icaadminpw --port 7054'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_CSR_CN=rca-org2
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_CSR_CN=
        - FABRIC_CA_SERVER_CSR_CA_PATHLENGTH=0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_CANAME=rca-org0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_URL=https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_PROFILE=ca
        - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/tmp/hyperledger/ca-tls/ca/crypto/ca-cert.pem
        - FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=127.0.0.1:9444
        - FABRIC_CA_SERVER_DEBUG=true
    volumes:
        - /tmp/hyperledger/ica-org0/ca:/tmp/hyperledger/fabric-ca
    networks:
        - fabric-ca
    ports:
        - 7054:7054

I am having trouble registering identities and moving through certificates. Would you know what steps to follow to enter an intermediate CA? Thank you


Kavin Arumugam
 

Hi Famar,

If you are exploring for the first time, I would suggest you to go with Fabric CA Binaries based Deployment by referring to the following link.
If you are comfortable with the above ones, then go ahead for docker based Deployment.

Thanks & Regards
Kavin Arumugam

On Tue, Mar 1, 2022 at 4:07 PM famar <fabrizio.marangio@...> wrote:
Hello everyone, I'm trying to implement a test fabric network by setting 1 TLS-CA, 1 ROOT-CA, 1 ORG, 1 Orderer and 1 Intermediate CA.
I'm having some trouble implementing intermediate CA with docker.
Questa è la sezione del file docker-compose.yaml relativa all'intermediate CA:
 
  ica-org0:
    container_name: ica-org0
    image: hyperledger/fabric-ca:latest
    command: sh -c 'fabric-ca-server start -d -b icaadmin:icaadminpw --port 7054'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_CSR_CN=rca-org2
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_CSR_CN=
        - FABRIC_CA_SERVER_CSR_CA_PATHLENGTH=0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_CANAME=rca-org0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_URL=https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_PROFILE=ca
        - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/tmp/hyperledger/ca-tls/ca/crypto/ca-cert.pem
        - FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=127.0.0.1:9444
        - FABRIC_CA_SERVER_DEBUG=true
    volumes:
        - /tmp/hyperledger/ica-org0/ca:/tmp/hyperledger/fabric-ca
    networks:
        - fabric-ca
    ports:
        - 7054:7054

I am having trouble registering identities and moving through certificates. Would you know what steps to follow to enter an intermediate CA? Thank you


famar
 

Hi Kavin, I have already read the documentation and when I try to manually set the configuration files I have no problem. The problems arise when I start using docker-compose.
First of all in the documentation it is indicated to copy the TLS CA ca-cert.pem file in the organization folder.
But if I effect the enrollment of the admin of my organization in this way:

export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem
fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053

then indicating as TLS certificate the one contained in the TLS CA folder I get this error:

"Post "https://0.0.0.0:7053/enroll": x509: certificate signed by unknown authority".

If instead I don't use the file in the TLS CA folder but the one in the organization folder:

export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem

The enrollment is successful but I can't understand why, since in the documentation it is indicated to use the one present in the TLS CA folder.

This problem affects the whole flow, preventing me from understanding how to set an intermediate CA. From the documentation I think I have more or less understood how to set the section of the docker-compose.yaml but I can not understand how to manage the certification files.


Il giorno gio 3 mar 2022 alle ore 03:46 Kavin Arumugam <a.kavin24@...> ha scritto:
Hi Famar,

If you are exploring for the first time, I would suggest you to go with Fabric CA Binaries based Deployment by referring to the following link.
If you are comfortable with the above ones, then go ahead for docker based Deployment.

Thanks & Regards
Kavin Arumugam

On Tue, Mar 1, 2022 at 4:07 PM famar <fabrizio.marangio@...> wrote:
Hello everyone, I'm trying to implement a test fabric network by setting 1 TLS-CA, 1 ROOT-CA, 1 ORG, 1 Orderer and 1 Intermediate CA.
I'm having some trouble implementing intermediate CA with docker.
Questa è la sezione del file docker-compose.yaml relativa all'intermediate CA:
 
  ica-org0:
    container_name: ica-org0
    image: hyperledger/fabric-ca:latest
    command: sh -c 'fabric-ca-server start -d -b icaadmin:icaadminpw --port 7054'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_CSR_CN=rca-org2
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_CSR_CN=
        - FABRIC_CA_SERVER_CSR_CA_PATHLENGTH=0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_CANAME=rca-org0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_URL=https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_INTERMEDIATE_PARENTSERVER_INTERMEDIATE_ENROLLMENT_PROFILE=ca
        - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/tmp/hyperledger/ca-tls/ca/crypto/ca-cert.pem
        - FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=127.0.0.1:9444
        - FABRIC_CA_SERVER_DEBUG=true
    volumes:
        - /tmp/hyperledger/ica-org0/ca:/tmp/hyperledger/fabric-ca
    networks:
        - fabric-ca
    ports:
        - 7054:7054

I am having trouble registering identities and moving through certificates. Would you know what steps to follow to enter an intermediate CA? Thank you


famar
 

Hello, I have been making changes to the docker file attempting to replicate what is done here https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html using docker compose.
I refer to this link because it is the only one that gives information about intermediate CAs.
I first initialize my TLS CA with this docker configuration:

version: '2'

networks:
  fabric-ca:

services:
  ca-tls:
    container_name: ca-tls
    image: hyperledger/fabric-ca:1.5.2
    command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_CA_NAME=tls-ca
        - FABRIC_CA_SERVER_CSR_CN=tls-ca
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_DEBUG=true
    volumes:
        - /tmp/hyperledger/tls-ca:/tmp/hyperledger/fabric-ca
        - /tmp/hyperledger/certificates/:/certificates
    networks:
        - fabric-ca
    ports:
        - 7052:7052

After that I create a folder where to save the certificates to link then to a volume and save the ca-cert.pem of the TLSCA in this folder:

mkdir /tmp/hyperledger/fabric-ca-client/certificates/
cp /tmp/hyperledger/tls-ca/crypto/ca-cert.pem /tmp/hyperledger/certificates/tls-ca-cert.pem

At this point I carry out the enrollment of the admin of the tls ca and the registration of the admin of the rca-org0 and the intermediate ca:

export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/admin
fabric-ca-client register -d --id.name rca-org0-admin --id.secret rca-org0-adminpw -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name ica-admin --id.secret ica-admin-pw -u https://0.0.0.0:7052

after that i enroll the two admins:

export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/org0admin
fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7052 --enrollment.profile tls --csr.hosts '0.0.0.0'
 
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/icaadmin
fabric-ca-client enroll -d -u https://ica-admin:ica-admin-pw@0.0.0.0:7052 --enrollment.profile tls --csr.hosts '0.0.0.0'

Then i create a sub folder in the certificates folder to store the cert.pem and the key just created for rca-org0 admin:

mkdir /tmp/hyperledger/certificates/org0-cert-key
cp /tmp/hyperledger/tls-ca/org0admin/msp/signcerts/cert.pem /tmp/hyperledger/certificates/org0-cert-key/cert.pem
cp /tmp/hyperledger/tls-ca/org0admin/msp/keystore/* /tmp/hyperledger/certificates/org0-cert-key/

Now I launch the command docker-compose up rca-org0 to start my root CA. This is the docker configuration:

rca-org0:
    container_name: rca-org0
    image: hyperledger/fabric-ca:1.5.2
    command: sh -c  'fabric-ca-server start -d -b rca-org0-admin:rca-org0-adminpw --port 7053'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_TLS_CERTFILE=/certificates/org0-cert-key/cert.pem
        - FABRIC_CA_SERVER_TLS_KEYSTORE=/certificates/org0-cert-key/key.pem
        - FABRIC_CA_SERVER_CSR_CN=rca-org0
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_DEBUG=true
        - FABRIC_CA_SERVER_CA_NAME=rca-org0
    volumes:
        - /tmp/hyperledger/org0/ca/:/tmp/hyperledger/fabric-ca
        - /tmp/hyperledger/certificates/:/certificates
    networks:
        - fabric-ca
    ports:
        - 7053:7053
 
But i have this error:

Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[103 71 48 157 205 189 109 100 50 86 145 54 249 131 248 89 73 236 75 182 14 211 37 24 30 245 244 121 174 167 139 188]]: Key with SKI 6747309dcdbd6d6432569136f983f85949ec4bb60ed325181ef5f479aea78bbc not found in /tmp/hyperledger/fabric-ca/crypto/msp/keystore.

Someone can help me to solve this problem? Thanks


famar
 

Hi Kavin,
From what I can see, you commented out the docker configuration files, going to directly edit the server configuration files. 
This way it actually works but what I was trying to do was to use docker compose to set the configuration. 
At the moment I was able to start root CA but I am having problems with intermediate. 
To avoid putting all the commands here, I refer to the link of a question I asked about it on stackoverflow https://stackoverflow.com/questions/71427636/error-during-creation-of-an-hyperledger-fabric-intermediate-ca-with-docker-compo

If you could take a look at it, I'd appreciate it.
Thank you.

Regards,
Fabrizio Marangio

Il giorno lun 14 mar 2022 alle ore 04:05 Kavin Arumugam <a.kavin24@...> ha scritto:
Hi Fabrizio,

I will suggest you have a look at the attached files. It worked for me.


Thanks & Regards
Kavin Arumugam


On Thu, Mar 10, 2022 at 4:26 PM Fabrizio Marangio <fabrizio.marangio@...> wrote:
Hello, I have been making changes to the docker file attempting to replicate what is done here https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html using docker compose.
I refer to this link because it is the only one that gives information about intermediate CAs.
I first initialize my TLS CA with this docker configuration:

version: '2'

networks:
  fabric-ca:

services:
  ca-tls:
    container_name: ca-tls
    image: hyperledger/fabric-ca:1.5.2
    command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_CA_NAME=tls-ca
        - FABRIC_CA_SERVER_CSR_CN=tls-ca
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_DEBUG=true
    volumes:
        - /tmp/hyperledger/tls-ca:/tmp/hyperledger/fabric-ca
        - /tmp/hyperledger/certificates/:/certificates
    networks:
        - fabric-ca
    ports:
        - 7052:7052

After that I create a folder where to save the certificates to link then to a volume and save the ca-cert.pem of the TLSCA in this folder:

mkdir /tmp/hyperledger/fabric-ca-client/certificates/
cp /tmp/hyperledger/tls-ca/crypto/ca-cert.pem /tmp/hyperledger/certificates/tls-ca-cert.pem

At this point I carry out the enrollment of the admin of the tls ca and the registration of the admin of the rca-org0 and the intermediate ca:

export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/admin
fabric-ca-client register -d --id.name rca-org0-admin --id.secret rca-org0-adminpw -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name ica-admin --id.secret ica-admin-pw -u https://0.0.0.0:7052

after that i enroll the two admins:

export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/org0admin
fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7052 --enrollment.profile tls --csr.hosts '0.0.0.0'
 
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/icaadmin
fabric-ca-client enroll -d -u https://ica-admin:ica-admin-pw@0.0.0.0:7052 --enrollment.profile tls --csr.hosts '0.0.0.0'

Then i create a sub folder in the certificates folder to store the cert.pem and the key just created for rca-org0 admin:

mkdir /tmp/hyperledger/certificates/org0-cert-key
cp /tmp/hyperledger/tls-ca/org0admin/msp/signcerts/cert.pem /tmp/hyperledger/certificates/org0-cert-key/cert.pem
cp /tmp/hyperledger/tls-ca/org0admin/msp/keystore/* /tmp/hyperledger/certificates/org0-cert-key/

Now I launch the command docker-compose up rca-org0 to start my root CA. This is the docker configuration:

rca-org0:
    container_name: rca-org0
    image: hyperledger/fabric-ca:1.5.2
    command: sh -c  'fabric-ca-server start -d -b rca-org0-admin:rca-org0-adminpw --port 7053'
    environment:
        - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_TLS_CERTFILE=/certificates/org0-cert-key/cert.pem
        - FABRIC_CA_SERVER_TLS_KEYSTORE=/certificates/org0-cert-key/key.pem
        - FABRIC_CA_SERVER_CSR_CN=rca-org0
        - FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
        - FABRIC_CA_SERVER_DEBUG=true
        - FABRIC_CA_SERVER_CA_NAME=rca-org0
    volumes:
        - /tmp/hyperledger/org0/ca/:/tmp/hyperledger/fabric-ca
        - /tmp/hyperledger/certificates/:/certificates
    networks:
        - fabric-ca
    ports:
        - 7053:7053
 
But i have this error:

Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[103 71 48 157 205 189 109 100 50 86 145 54 249 131 248 89 73 236 75 182 14 211 37 24 30 245 244 121 174 167 139 188]]: Key with SKI 6747309dcdbd6d6432569136f983f85949ec4bb60ed325181ef5f479aea78bbc not found in /tmp/hyperledger/fabric-ca/crypto/msp/keystore.

Someone can help me to solve this problem? Thanks