Understanding Various Certificates in Hyperledger fabric

后端 未结 4 1830
无人及你
无人及你 2021-01-31 11:58

Hello I am tryin to use hyperledger fabric for a block chain implementation. I did the first-network demo and found lot of certificates in it. I have tried arranging them hierar

相关标签:
4条回答
  • 2021-01-31 12:31

    When you generate certificates of an org using cryptogen, you will see

    ├── ca
    ├── msp
    ├── peers
    ├── tlsca
    └── users
    

    Let me explain one by one CA: contains CA certificate & private key tlsca contains CA certificate & private key(TLS Version) MSP: This is organization MSP we need this to generate genesis block

    Organizations:
        - &nbd
            Name: nbd
            ID: nbdMSP
            MSPDir: crypto-config/peerOrganizations/nbd/msp
            AnchorPeers:
                - Host: nbd-peer1-nbd
                  Port: 7051
    

    Peers: Peers contains two directories

    ├── msp
    └── tls
    

    Checking MSP of peer...

    ├── admincerts
    ├── cacerts
    ├── keystore
    ├── signcerts
    └── tlscacerts
    

    admincerts: This is peer msp, which is different to organization MSP, Every peer can have admin certs which is used to allow admin privilage user to issue admin level transactions cacerts: Trusted root CA cert keystore: Private key of the peer signcerts: signcert of peer cert tlscacerts:Trusted root CA cert (TLS Version)

    ----Same for orderers also----

    Users

    ├── Admin@nbd
    └── User1@nbd
    

    ----Same for users also----

    0 讨论(0)
  • 2021-01-31 12:36

    Just in case you still have doubts, your post is a bit old and you may have already answered your inquiries.

    1. Why are all these different categories of certs required. Like different msp tls are they generated once and copied at different locations?

    R/ I think the part on why all these certs are required, @kots got it pretty much covered. To the second part of your question, the reason there are so many crypto objects copied is that in a production environment you are supposed to have every container separated. So the folder you mount them should contain all the objects required for communication and authorization. There should not be a central folder containing just a copy of the files.

    1. How these different certificates will be used in different scenarios (like enrollment and communication.)

    R/ They pass through a bunch of security mechanisms such as channels, MSPs, etc, through the gossip protocols and they need to authenticate each request. More details on the link copied by @kots.

    1. If we dont use cryptogen then can some third party generate all these certificates.

    R/ You can use cryptogen (without Fabric-ca), Fabric-CA (with your own external root cert, one generated by cryptogen, or one generated by fabric-ca), or you can bring your own CA but it's a bit harder and you need to match it with your ChainCode authorization strategy.

    1. How can fabric-ca or any other third party CA help here.

    R/ Using Fabric-CA gives you a nearly production ready environment. They handle most of the crypto gen tasks, as well handling CRL and Enrollment. As explained in response #3 you may have plenty of mixes depending on your requirements.

    Best regards.

    0 讨论(0)
  • 2021-01-31 12:38

    During the setup of your Blockchain network, we need a variety of certificates which we can focus on CA(Certified Authority)like MSP configuration of Blockchain network I personally used CA for my IBM Hyperledger application

    0 讨论(0)
  • 2021-01-31 12:42

    First of all thanks for creating the tree for the same.

    I am a beginner in the hyperledger but what i understand from the hyperledger document that each Organization requires a unique root certificate (ca-cert), that binds specific components (peers and orderers) to that organization. Transactions and communications within Fabric are signed by an entity's private key (keystore), and then verified by means of a public key (signcerts).

    As different organization also required to communicate or share their ledger so there is need of CA or MSP on organization level. Within each organization we can have multiple peers so we need certification for these peers too. Even peers from different organizations can join each other so signcerts(for authenticating) and TLScerts(for a secure handshake).

    To have a look how these are generate i suggest you to Manually generate the artifacts

    http://hyperledger-fabric.readthedocs.io/en/latest/build_network.html

    and see the different certs in the folders inside as you created them.

    0 讨论(0)
提交回复
热议问题