I am wondering if it is strongly discouraged to use fabric-ca without mutual TLS in production.
I am planning to operate a fabric network where a lot of peers, applications and users will be added automatically and the cryptogen tool will not be used.
Instead a second fabric-ca will be used to issue TLS certificates. Those certificates will be used for client authentication with the MSP fabric-ca and the peers etc.
The TLS fabric-ca does not perform client authentication because new users will have enrollmentID+secret but no client certificates.
I Illustrated the registration process in this UML sequence diagram.
The "User" in the diagram is meant to represent peers, applications or users.
You can't require mutual / client TLS from the actual CA server that's supposed to issue the client TLS certificates unless you distribute the client certs out of band (which I assume you don't want to do). It's perfectly fine for the CA which is issuing TLS certificates NOT to require client / mutual TLS authentication.
来源:https://stackoverflow.com/questions/50896618/use-fabric-ca-without-mutual-tls-in-production