Hyperledger -Using Fabric CA to generate cryptographic materials

This article will illustrate how to use Fabric CA to setup a basic Fabric network without using cryptogen to generate certificates. The indent is to get an insight into the generation of cryptographic materials associated with the fabric identities.For this purpose we will be executing relevant commands for each step without any scripts.

All identities that participate on a Hyperledger Fabric network must be authorized. This authorization is provided in the form of cryptographic material that is verified against trusted certificate authorities.

We will see the process for setting up a basic fabric network that includes one organization, with two peers and one orderer.Two TLS CA servers and two CA Servers one CA each for peer org and orderer org. We will generate cryptographic material for orderers, peers, administrators, and end users with TLS enabled in a single host environment.

Topology of this deployment can be seen in the image below:

We will generate the model as shown below using Fabric CA.

• admincerts to include PEM files each corresponding to an administrator certificate (signcerts of admin user)
• cacerts to include PEM files each corresponding to a root CA's certificate (ca-cert.pem)
• keystore to include a PEM file with the node's signing key; private key.currently RSA keys are not supported
• signcerts to include a PEM file with the node's X.509 certificate public key.
• tlscacerts (optional) a folder to include PEM files each corresponding to a TLS root CA's certificate

These are the main steps that are required to generate the cryptograhic materials for each identity.

(1) Setup TLS CA Server (2) Setup CA Server

After configuring and starting the TLS and CA servers it is mainly two steps

(1) Register identities (orderers, peers ,admins,users) with TLS and CA servers

(2) Enroll those identities by pointing to their relevant msp directory for generating CA certificates and to the tls directory for generating TLS certificates as per your model.These two steps creates all the cryptographic material for each identity in the network.

Step : Setting up the Fabric CA

We will need the binaries for both Fabric and Fabric CA for this exercise and make the relevant fabric-ca-servers ,fabric-ca-client binaries and also make the docker images.User guides and other contributors has very good notes on the required steps for setting up fabric and fabric ca binaries. Select and set the path to latest binary for your machine.Or you could point to the samples binaries.

This exercise uses version 1.4.2 of fabric-ca-client

Step :Setup TLS CA

Make the directory structure needed for TLS CA , Fabric CA client and Server for our model.

mkdir -p fabca/fabric.com/{ca-admin,ca-server,tlsca-admin,tlsca-server}

mkdir -p fabca/po1.fabric.com/{ca-admin,ca-server,tlsca-admin,tlsca-server}

Start the TLS enabled Fabric CA container.First run the container with fabric-ca-server init command .Refer docker-compose-tlsca.yaml

Copy the fabca/fabric.com/tlsca-server/tls-ca-cert.pem to /crypto-config/ordererOrganizations/fabric.com/tlsca directory.

Copy the key file from fabca/fabric.com/tlsca-server/msp/keystore to ./crypto-config/ordererOrganizations/fabric.com/tlsca/tlsca.fabric.com-key.pem.

After copy run the TLS CA container this time use the fabric-ca-server start command.Check the logs to verify the server start and its listening to your the port 7150 in this case.

At this point the TLA CA server is listening on a secure socket, and can start issuing TLS certificates.

If on different host machines the trusted root certificate for the TLS CA has to be copied to other host machines that will communicate with this CA .

**Orderer org TLS :**Enroll the TLS CA server admin and then register org identities with orderer org's TLS CA server

Register orderer org identities with the tls-ca

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto- 	config/ordererOrganizations/fabric.com/tlsca/tlsca.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/tlsca-admin

fabric-ca-client enroll -d -u https://tls-ord-admin:tls-ord-adminpw@0.0.0.0:7150

fabric-ca-client register -d — id.name orderer1.fabric.com — id.secret ordererPW — id.type orderer -u https://0.0.0.0:7150

fabric-ca-client register -d — id.name Admin@fabric.com — id.secret ordereradminpw — id.type admin -u https://0.0.0.0:7150

Use command fabric-ca-client identity list or Gui DB Browser for SQLite to verify the generated identities.

Going forward you will notice we extensively use the FABRIC_CA_CLIENT_TLS_CERTFILES,FABRIC_CA_CLIENT_HOME environment variables to point to the relevant server and client.

Peer org TLS: Enroll the TLS CA admin and then register identities with perr org's TLS CA server

Follow the steps simialr to above to get the TLS CA for peer org po1.fabric.com up and running.Refer docker-compose-tlsca.yaml from repo.After the fabric server is up and running execute below scripts to register peer org identities

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/tlsca/tlsca.po1.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/tlsca-admin

fabric-ca-client enroll -d -u https://tls-peer-admin:tls-peer-adminpw@0.0.0.0:7151
fabric-ca-client register -d — id.name peer0.po1.fabric.com — id.secret peer0PW — id.type peer -u https://0.0.0.0:7151

fabric-ca-client register -d — id.name peer1.po1.fabric.com — id.secret peer0PW — id.type peer -u https://0.0.0.0:7151

fabric-ca-client register -d — id.name Admin@po1.fabric.com — id.secret po1AdminPW — id.type admin -u https://0.0.0.0:7151

Certificate Authority (CA)
Each organization must have it's own Certificate Authority (CA) for issuing enrollment certificates.Follow the same set of steps that we followed for TLS CA for starting CA . Initiate and Start both the CA servers using
docker-compose-rca.yaml up refer repo.At this point the CA server is listening on a secure socket, and can start issuing cryptographic material.

Orderer org CA: Enroll admin for the CA Server and register the Orderer and Admin user with the orderer org CA

Orderer org :fabric

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/ca/ca.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/ca-admin

fabric-ca-client enroll -d -u https://rca-orderer-admin:rca-orderer-adminpw@0.0.0.0:7152

fabric-ca-client register -d — id.name orderer1.fabric.com — id.secret ordererpw — id.type orderer -u https://0.0.0.0:7152

fabric-ca-client register -d — id.name Admin@fabric.com — id.secret ordereradminpw — id.type admin — id.attrs hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert” -u https://0.0.0.0:7152

Peer org CA: Enroll admin for the CA Server and register the peer0 ,peer1 and Admin user with the peer org CA

Peer org :po1.fabric.com

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/ca/ca.po1.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/ca-admin

fabric-ca-client enroll -d -u https://rca-po1-admin:rca-po1-adminpw@0.0.0.0:7153

fabric-ca-client register -d — id.name peer0.po1.fabric.com — id.secret peer1PW — id.type peer -u https://0.0.0.0:7153

fabric-ca-client register -d — id.name peer1.po1.fabric.com — id.secret peer2PW — id.type peer -u https://0.0.0.0:7153

fabric-ca-client register -d — id.name Admin@po1.fabric.com — id.secret po1AdminPW — id.type admin — id.attrs “hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert” -u https://0.0.0.0:7153
fabric-ca-client register -d — id.name User1@po1.fabric.com — id.secret po1UserPW — id.type user -u https://0.0.0.0:7153

Use command fabric-ca-client identity list or Gui DB Browser for SQLite to verify the generated identities.

Enroll Peers

Administrator for peer org po1.fabric.com will enroll the peers with it's CA.If the machine running Peer is separate host the trusted root certificate has to be copied to Peer's host machine. Acquiring of these signing certificate is an out of band process.2 Enrollments are required as we are TLS enabled.One againt TLS CA and one with Root CA.

Enroll Peers with CA.

Make sure the MSP directory of the peer points to the right directory of your model.As we are following cryptogen template model we are pointing to the peerOrganizations/po1.fabric.com/peers/peer0.po1.fabric.com/msp. Change the env variable FABRIC_CA_CLIENT_MSPDIR for each peers MSP directory and then enroll.You can pass -M in command for msp dir as well.

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/ca/ca.po1.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/ca-admin

#Peer0:
export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/peers/peer0.po1.fabric.com/msp
fabric-ca-client enroll -d -u https://peer0.po1.fabric.com:peer1PW@0.0.0.0:7153 — csr.hosts peer0.po1.fabric.com

#Peer1

export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/peers/peer1.po1.fabric.com/msp
fabric-ca-client enroll -d -u https://peer1.po1.fabric.com:peer2PW@0.0.0.0:7153 — csr.hosts peer1.po1.fabric.com

Verify the generation of certificates in msp/cacerts , keystore , signcerts for each peer’s MSP directory.We just generated the local peer MSP.

Enroll and Get the TLS cryptographic material for the peers.

We will point to the TLS CA cert and TLS Client Home for getting tls certs.MSP directory here will be the peers tls directory.

crypto-config/peerOrganizations/po1.fabric.com/peers/peer0.po1.fabric.com/tls

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/tlsca/tlsca.po1.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/tlsca-admin
export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/peers/peer0.po1.fabric.com/tls

fabric-ca-client enroll -d -u https://peer0.po1.fabric.com:peer0PW@0.0.0.0:7151 — enrollment.profile tls — csr.hosts peer0.po1.fabric.com

export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/peers/peer1.po1.fabric.com/tls

# peer1
fabric-ca-client enroll -d -u https://peer1.po1.fabric.com:peer0PW@0.0.0.0:7151 — enrollment.profile tls — csr.hosts peer1.po1.fabric.com

Verify certificates are generated in the peers tls directory tls/keystore , signcerts ,tlscacerts.Rename keystore private key to key.pem for ease of reference later on.

Enroll peer org Admin User with CA
The admin identity is responsible for activities such as installing and instantiating chaincode. The commands below has to be executed on Peer's host machine if on seperate host.Admin user's MSP directory in our model is peerOrganizations/po1.fabric.com/user/Admin@po1.fabric.com/msp

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/ca/ca.po1.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/ca-admin
export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/users/Admin@po1.fabric.com/msp

fabric-ca-client enroll -d -u https://Admin@po1.fabric.com:po1AdminPW@0.0.0.0:7153

AdminCerts: As per user guide An identity becomes an "ADMIN" role by adding the public certificate to the "admincerts" folder of the MSP.You can manually copy signcerts to admin certs or run below store command.

fabric-ca-client certificate list — id Admin@po1.fabric.com — store $FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/users/Admin@po1.fabric.com/msp/admincerts

After enrollment, we should have an admin MSP.
Copy the admincerts certificate Admin@po1.fabric.com.pem from this Admin user MSP and move it to the Peer's MSP in the 'admincerts' directory. Copy this admin certificate to other peers in the org , use identity command above or copy to the 'admincerts' directory in each peers' MSP.

Enroll and Get the TLS cryptographic material for the Admin User
Enroll against the TLS CA using Tls cert and home.\

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/tlsca/tlsca.po1.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/tlsca-admin
export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/users/Admin@po1.fabric.com/tls

fabric-ca-client enroll -d -u https://Admin@po1.fabric.com:po1AdminPW@0.0.0.0:7151 — enrollment.profile tls

At this point we can test run our peers : docker-compose -f docker-compose-cli.yaml up peer0.po1.fabric.com

Enroll Orderer with CA : Enroll orderer1.fabric.com and Admin@fabric.com with the CA

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/ca/ca.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/ca-admin
export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/orderers/orderer1.fabric.com/msp

fabric-ca-client enroll -d -u https://orderer1.fabric.com:ordererpw@0.0.0.0:7152

# Enroll Orderer’s Admin User
export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/users/Admin@fabric.com/msp

fabric-ca-client enroll -d -u https://Admin@fabric.com:ordereradminpw@0.0.0.0:7152

# Generate AdminCerts
fabric-ca-client identity list
fabric-ca-client certificate list — id Admin@fabric.com — store $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/users/Admin@fabric.com/msp/admincerts

# Copy Users AdminCerts to Orderer MSP AdminCerts Directory
cp $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/users/Admin@fabric.com/msp/admincerts/*.pem $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/orderers/orderer1.fabric.com/msp/admincerts

# rename keystore = key.pem

Enroll Orderer with TLS CA

export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/tlsca/tlsca.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/tlsca-admin
export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/orderers/orderer1.fabric.com/tls

fabric-ca-client enroll -d -u https://orderer1.fabric.com:ordererPW@0.0.0.0:7150 — enrollment.profile tls — csr.hosts orderer1.fabric.com

# Enroll Orderer’s Admin User

export FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/users/Admin@fabric.com/tls

fabric-ca-client enroll -d -u https://Admin@fabric.com:ordereradminpw@0.0.0.0:7150 — enrollment.profile tls — csr.hosts orderer1.fabric.com

# rename keystore -sk= key.pem

Create Genesis Block and Channel Transaction artifacts

Before generating genesis block we need the MSP directories of all the orgs on the orderer host machine.Each org should have MSP directory in the following structure:

The MSP for an Org will contain\

1. admincerts : The certificate of the Org's admin identity
2. cacerts: The trusted root certificate of Org's CA\
3. tlscacerts: The trusted root certificate of the Org's TLS CA.

On the Orderer's host machine, we need to collect the MSPs for each of the organizations based on the above structure

Generate Orderer Org MSP

# cacerts — orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/ca/ca.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/ca-admin
fabric-ca-client getcacert -u https://0.0.0.0:7152 -M $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/msp

# AdminCerts — orderer
fabric-ca-client identity list
fabric-ca-client certificate list — id Admin@fabric.com — store $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/msp/admincerts

# tlscacerts — orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/tlsca/tlsca.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/tlsca-admin
fabric-ca-client getcacert -u https://0.0.0.0:7150 -M $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/msp — enrollment.profile tls

Generate Peer Org MSP

# cacerts — peer org
export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/ca/ca.po1.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/ca-admin
fabric-ca-client getcainfo -u https://0.0.0.0:7153 -M $FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/msp

# AdminCerts — peer org
fabric-ca-client identity list
fabric-ca-client certificate list — id Admin@po1.fabric.com — store $FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/msp/admincerts

# tlscacerts — peer org
export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/tlsca/tlsca.po1.fabric.com-cert.pem
export FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/tlsca-admin
fabric-ca-client getcacert -u https://0.0.0.0:7151 -M $FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/msp — enrollment.profile tls

The above steps should generate the model similar to the directory tree in repo.

Generate Orderer Genesis block and channel artifacts:

Create configtx.yaml file as per your model.

cd $FABRIC_CFG_PATH
# Create the orderer genesis.block
configtxgen -profile OneOrgsOrdererGenesis -channelID rtr-sys-channel -outputBlock $FABRIC_CFG_PATH/channel-artifacts/genesis.block
configtxgen -inspectBlock ./channel-artifacts/genesis.block > logs/genesisblock.txt

# Create channel.tx
export CHANNEL_NAME=fabchannel01
configtxgen -profile OneOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME
configtxgen -inspectChannelCreateTx ./channel-artifacts/channel.tx > logs/channel.txt
# Update anchor peers
configtxgen -profile OneOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/po1MSPanchors.tx -channelID $CHANNEL_NAME -asOrg po1MSP

Start the services

Lets start services one by one :- Start the Orderer : docker-compose -f docker-compose-cli.yaml up orderer1.fabric.com

​ Orderer Start

​ Peer Start

​

Create and join Channel

export CHANNEL_NAME=fabchannel01

peer channel create -c $CHANNEL_NAME -f /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts/channel.tx -o orderer1.fabric.com:7050 — outputBlock /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts/fabchannel01.block — tls — cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/fabric.com/users/Admin@fabric.com/tls/tlscacerts/tls-0–0–0–0–7150.pem 60s

peer channel join -b /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts/fabchannel01.block 30s

​ ChainCode Install

Install and Instantiate Chaincode

peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/abac/go

peer chaincode instantiate -C $CHANNEL_NAME -n mycc -v 1.0 -c ‘{“Args”:[“init”,”a”, “100”, “b”,”200"]}’ -o orderer1.fabric.com:7050 — tls — cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/fabric.com/users/Admin@fabric.com/tls/tlscacerts/tls-0–0–0–0–7150.pem 60s

​ ChainCode Instantiate

​ ChainCode Invoke

​ ChainCode Query

This post simulated the deployment using docker containers. For deployment on different hosts , you will need to get the signing certificate on each of those hosts through an out-of-band process.

The network configuration for this project assumes that all containers are running in the same network. If your deployment uses different networks, make relevant adjustments to work with your network configurations.