Open in app

Sign in

Write

Sign in

Using Fabric CA on Hyperledger Fabric 2.4: A Guide

Nova Novriansyah
Novai-Hyperledger Fabric 101
Published in
4 min readJun 6, 2024

Introduction to Fabric CA

Fabric CA (Certificate Authority) is a component of Hyperledger Fabric that manages identities within the network. It provides a scalable and flexible way to handle user registration, identity issuance, and certificate management. In this guide, we’ll walk through the process of setting up and using Fabric CA on Hyperledger Fabric 2.4, from installation to generating the required artifacts.

Step 1: Installation

Prerequisites

Before installing Fabric CA, ensure that you have the following prerequisites:

  • Docker and Docker Compose
  • Go programming language (if building from source)
  • Git

Installation Steps

run the following command

curl -sSL https://bit.ly/2ysbOFE | bash -s -- 1.5.10

or try this

wget https://github.com/hyperledger/fabric/releases/download/v1.5.10/hyperledger-fabric-linux-amd64-1.5.10.tar.gz
tar -xvf hyperledger-fabric-linux-amd64-1.5.10.tar.gz
sudo mv bin/* /usr/local/bin/
fabric-ca-server version

Verifying

$ fabric-ca-client version
fabric-ca-client:
 Version: v1.5.10
 Go version: go1.21.9
 OS/Arch: linux/arm64


$ fabric-ca-server version
fabric-ca-server:
 Version: v1.5.10
 Go version: go1.21.9
 OS/Arch: linux/arm64

Step 2: Starting Fabric CA Server

After installation and configuration, start the Fabric CA server using the following command:

fabric-ca-server start -b admin:adminpw

This command starts the Fabric CA server with the specified administrator credentials (admin:adminpw). You can replace these credentials with your desired username and password.

Step 3: Registering Users

Once the Fabric CA server is running, you can register users who will participate in the network. To register a user, use the Fabric CA client CLI (fabric-ca-client) or the Fabric SDK.

Using Fabric CA Client CLI

fabric-ca-client register --id.name user1 --id.secret user1pw --id.type client --id.affiliation org1.department1

This command registers a new user named user1 with the password user1pw, belonging to the org1.department1affiliation.

Step 4: Enrolling Users

After registering a user, you need to enroll them to obtain cryptographic materials (such as certificates and private keys) required for interacting with the network.

fabric-ca-client enroll -u http://user1:user1pw@localhost:7054

This command enrolls the user user1 using their registered credentials.

Step 5: Generating MSP Artifacts

MSP (Membership Service Provider) artifacts are required for authenticating and authorizing users within the network. Fabric CA provides tools to generate these artifacts.

mkdir -p /path/to/user1/msp
fabric-ca-client certificate generate -M /path/to/user1/msp --id.name user1

This command generates the required MSP artifacts for the user user1 and stores them in the specified directory (/path/to/user1/msp).

Step 6: Registering and Enrolling Peers, Orderers, and Admin User

Registering and Enrolling Peers

Registering and enrolling peers and orderers follows a similar process to registering and enrolling users. You will need to specify the appropriate affiliations and roles for peers and orderers.

fabric-ca-client enroll -u http://<peer_name>:<peer_password>@<ca_server_url>:<ca_port>

Replace the placeholders with the actual values for your setup:

  • <peer_name>: The name of the peer.
  • <peer_password>: The password associated with the peer's identity.
  • <ca_server_url>: The URL of the Fabric CA server.
  • <ca_port>: The port number on which the Fabric CA server is running.

For example, if your peer’s name is peer1, its password is peer1pw, the Fabric CA server is running at localhost on port 7054, the command would look like this:

fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054

Registering and Enrolling Orderer

To enroll an orderer with Fabric CA, you’ll use the Fabric CA client CLI (fabric-ca-client). Here's the command syntax for enrolling an orderer:

fabric-ca-client enroll -u http://<orderer_name>:<orderer_password>@<ca_server_url>:<ca_port>

Replace the placeholders with the actual values for your setup:

  • <orderer_name>: The name of the orderer.
  • <orderer_password>: The password associated with the orderer's identity.
  • <ca_server_url>: The URL of the Fabric CA server.
  • <ca_port>: The port number on which the Fabric CA server is running.

For example, if your orderer's name is orderer1, its password is orderer1pw, the Fabric CA server is running at localhost on port 7054, the command would look like this:

fabric-ca-client enroll -u http://orderer1:orderer1pw@localhost:7054

This command will enroll the orderer using its registered credentials and obtain cryptographic materials required for interacting with the network.

Registering and Enrolling Admin User

Registering and enrolling an admin user is crucial for network administration tasks. Here’s how you can do it:

fabric-ca-client register --id.name admin --id.secret adminpw --id.type admin --id.affiliation org1

This command registers an admin user with the password adminpw, belonging to the org1 affiliation.

fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

This command enrolls the admin user using their registered credentials.

Directory Structure and Generated Files

After completing the setup and generating artifacts, the directory structure of Fabric CA typically looks like this:

msp

├── keystore            (Directory for storing private keys)
│   ├── admin_sk        (Admin user's private key)
│   ├── peer1_sk        (Peer's private key)
│   └── orderer1_sk     (Orderer's private key)

├── signcerts           (Directory for storing X.509 certificates)
│   ├── admin_cert.pem  (Admin user's X.509 certificate)
│   ├── peer1_cert.pem  (Peer's X.509 certificate)
│   └── orderer1_cert.pem (Orderer's X.509 certificate)

├── cacerts             (Directory for storing CA certificates)
│   └── ca-cert.pem     (Root CA certificate)

└── tlscacerts          (Directory for storing TLS CA certificates)
    └── tls-ca-cert.pem (TLS CA certificate)

Explanation of Generated Files:

  • fabric-ca-server-config.yaml: This file contains the configuration settings for the Fabric CA server, including port numbers, database settings, and administrator credentials.
  • msp: This directory contains the Membership Service Provider artifacts, including cryptographic materials such as private keys, X.509 certificates, CA certificates, and TLS CA certificates.
  • keystore: Private keys of users, peers, orderers, and CAs are stored here.
  • signcerts: X.509 certificates issued by the CA are stored here.
  • cacerts: Root CA certificates are stored here.
  • tlscacerts: TLS CA certificates for secure communication are stored here.
  • csr: This directory contains Certificate Signing Requests (CSRs) submitted by users, peers, and orderers during enrollment

Fabric CA simplifies the process of managing identities within a Hyperledger Fabric network. By following the steps outlined in this guide, you can set up Fabric CA, register and enroll users, peers, orderers, and admin users, and generate the necessary artifacts for authentication and authorization. Fabric CA’s flexibility and scalability make it an essential component for building secure and permissioned blockchain networks on Hyperledger Fabric 2.4.

Hyperledger Fabric

--

--

Nova Novriansyah
Novai-Hyperledger Fabric 101

Written by Nova Novriansyah

64 Followers
Editor for

C|CISO, CEH, CC, CVA,CertBlockchainPractitioner, Google Machine Learning , Tensorflow, Unity Cert, Arduino Cert, AWS Arch Cert. CTO, IT leaders. Platform owners

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams