Using Fabric CA on Hyperledger Fabric 2.4: A Guide
Introduction to Fabric CA
Fabric CA (Certificate Authority) is a component of Hyperledger Fabric that manages identities within the network. It provides a scalable and flexible way to handle user registration, identity issuance, and certificate management. In this guide, we’ll walk through the process of setting up and using Fabric CA on Hyperledger Fabric 2.4, from installation to generating the required artifacts.
Step 1: Installation
Prerequisites
Before installing Fabric CA, ensure that you have the following prerequisites:
- Docker and Docker Compose
- Go programming language (if building from source)
- Git
Installation Steps
run the following command
curl -sSL https://bit.ly/2ysbOFE | bash -s -- 1.5.10
or try this
wget https://github.com/hyperledger/fabric/releases/download/v1.5.10/hyperledger-fabric-linux-amd64-1.5.10.tar.gz
tar -xvf hyperledger-fabric-linux-amd64-1.5.10.tar.gz
sudo mv bin/* /usr/local/bin/
fabric-ca-server version
Verifying
$ fabric-ca-client version
fabric-ca-client:
Version: v1.5.10
Go version: go1.21.9
OS/Arch: linux/arm64
$ fabric-ca-server version
fabric-ca-server:
Version: v1.5.10
Go version: go1.21.9
OS/Arch: linux/arm64
Step 2: Starting Fabric CA Server
After installation and configuration, start the Fabric CA server using the following command:
fabric-ca-server start -b admin:adminpw
This command starts the Fabric CA server with the specified administrator credentials (admin:adminpw
). You can replace these credentials with your desired username and password.
Step 3: Registering Users
Once the Fabric CA server is running, you can register users who will participate in the network. To register a user, use the Fabric CA client CLI (fabric-ca-client
) or the Fabric SDK.
Using Fabric CA Client CLI
fabric-ca-client register --id.name user1 --id.secret user1pw --id.type client --id.affiliation org1.department1
This command registers a new user named user1
with the password user1pw
, belonging to the org1.department1
affiliation.
Step 4: Enrolling Users
After registering a user, you need to enroll them to obtain cryptographic materials (such as certificates and private keys) required for interacting with the network.
fabric-ca-client enroll -u http://user1:user1pw@localhost:7054
This command enrolls the user user1
using their registered credentials.
Step 5: Generating MSP Artifacts
MSP (Membership Service Provider) artifacts are required for authenticating and authorizing users within the network. Fabric CA provides tools to generate these artifacts.
mkdir -p /path/to/user1/msp
fabric-ca-client certificate generate -M /path/to/user1/msp --id.name user1
This command generates the required MSP artifacts for the user user1
and stores them in the specified directory (/path/to/user1/msp
).
Step 6: Registering and Enrolling Peers, Orderers, and Admin User
Registering and Enrolling Peers
Registering and enrolling peers and orderers follows a similar process to registering and enrolling users. You will need to specify the appropriate affiliations and roles for peers and orderers.
fabric-ca-client enroll -u http://<peer_name>:<peer_password>@<ca_server_url>:<ca_port>
Replace the placeholders with the actual values for your setup:
<peer_name>
: The name of the peer.<peer_password>
: The password associated with the peer's identity.<ca_server_url>
: The URL of the Fabric CA server.<ca_port>
: The port number on which the Fabric CA server is running.
For example, if your peer’s name is peer1
, its password is peer1pw
, the Fabric CA server is running at localhost
on port 7054
, the command would look like this:
fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054
Registering and Enrolling Orderer
To enroll an orderer with Fabric CA, you’ll use the Fabric CA client CLI (fabric-ca-client
). Here's the command syntax for enrolling an orderer:
fabric-ca-client enroll -u http://<orderer_name>:<orderer_password>@<ca_server_url>:<ca_port>
Replace the placeholders with the actual values for your setup:
<orderer_name>
: The name of the orderer.<orderer_password>
: The password associated with the orderer's identity.<ca_server_url>
: The URL of the Fabric CA server.<ca_port>
: The port number on which the Fabric CA server is running.
For example, if your orderer's name is orderer1
, its password is orderer1pw
, the Fabric CA server is running at localhost
on port 7054
, the command would look like this:
fabric-ca-client enroll -u http://orderer1:orderer1pw@localhost:7054
This command will enroll the orderer using its registered credentials and obtain cryptographic materials required for interacting with the network.
Registering and Enrolling Admin User
Registering and enrolling an admin user is crucial for network administration tasks. Here’s how you can do it:
fabric-ca-client register --id.name admin --id.secret adminpw --id.type admin --id.affiliation org1
This command registers an admin user with the password adminpw
, belonging to the org1
affiliation.
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
This command enrolls the admin user using their registered credentials.
Directory Structure and Generated Files
After completing the setup and generating artifacts, the directory structure of Fabric CA typically looks like this:
msp
│
├── keystore (Directory for storing private keys)
│ ├── admin_sk (Admin user's private key)
│ ├── peer1_sk (Peer's private key)
│ └── orderer1_sk (Orderer's private key)
│
├── signcerts (Directory for storing X.509 certificates)
│ ├── admin_cert.pem (Admin user's X.509 certificate)
│ ├── peer1_cert.pem (Peer's X.509 certificate)
│ └── orderer1_cert.pem (Orderer's X.509 certificate)
│
├── cacerts (Directory for storing CA certificates)
│ └── ca-cert.pem (Root CA certificate)
│
└── tlscacerts (Directory for storing TLS CA certificates)
└── tls-ca-cert.pem (TLS CA certificate)
Explanation of Generated Files:
- fabric-ca-server-config.yaml: This file contains the configuration settings for the Fabric CA server, including port numbers, database settings, and administrator credentials.
- msp: This directory contains the Membership Service Provider artifacts, including cryptographic materials such as private keys, X.509 certificates, CA certificates, and TLS CA certificates.
- keystore: Private keys of users, peers, orderers, and CAs are stored here.
- signcerts: X.509 certificates issued by the CA are stored here.
- cacerts: Root CA certificates are stored here.
- tlscacerts: TLS CA certificates for secure communication are stored here.
- csr: This directory contains Certificate Signing Requests (CSRs) submitted by users, peers, and orderers during enrollment
Fabric CA simplifies the process of managing identities within a Hyperledger Fabric network. By following the steps outlined in this guide, you can set up Fabric CA, register and enroll users, peers, orderers, and admin users, and generate the necessary artifacts for authentication and authorization. Fabric CA’s flexibility and scalability make it an essential component for building secure and permissioned blockchain networks on Hyperledger Fabric 2.4.