问题
I'm adopting the Hyperledger Fabric to build applications for my business.
Since permissioned blockchains like Fabric rely heavily on the PKI for identity management, and the fact that every transaction on the network requires signatures from participating components along way the transaction flow and transactions with those signatures finally got immutably persisted in the ledger.
I wonder what happens if participating components would have to renew their certificates? For example, the original certificates expired or private keys got compromised.
Specifically, I want to know:
Should renewal of a certificate require a new PKI key pair in best practice, or should a new certificate be created with the original key pair be created with its validity extended?
What if it's the case when a private key got compromised, and I have to revoke the original certificate and use a new one with a new key pair. In this case, how should I validate signatures of transactions that were already persisted in the ledger? I wonder if it means that even if a certificate were revoked, it should be kept for validating history signatures.
回答1:
First of all, there are 2 types of certificates in Fabric:
- TLS certificates
- Enrollment certificates
For TLS certificates, when they expire - they cannot be used anymore but obviously active TLS connections aren't being terminated when it happens.
For enrollment certificates - when they expire they still keep on being useful regardless of their expiration. This is to prevent a fork when peers join the Blockchain late. So, in short - certificate expiration has no effect in enrollment certificates.
Should renewal of a certificate require a new PKI key pair in best practice, or should a new certificate be created with the original keypair be created with its validity extended?
In most cases, Fabric treats 2 certificates with the same public key but different attributes as 2 completely different identities (unless you take into account de-duplication at transaction validation) so if you have a chance to renew a certificate of a node or a client - you might as well also use a fresh key. It is not required but it is possible.
What if it's the case when a private key got compromised, and I have to revoke the original certificate and use a new one with a new key pair. In this case, how should I validate signatures of transactions that were already persisted in the ledger? I wonder if it means that even if a certificate were revoked, it should be kept for validating history signatures.
For TLS certificates, Fabric doesn't use CRLs so you can only rely on short expiration periods, or you can always just replace the entire certification chain and this would implicitly invalidate the leaf certificates of the old chain.
For Enrollment certificates you can issue a CRL config update to all channels and this would make it impossible to use the compromised key in future transactions, however signatures of transactions made in the past (in the blocks that precede the revocation of the certificate) would still be valid from obvious reasons.
However, there is a code path that checks expiration of enrollment certificates: Whenever a request from a peer or a client is authenticated to access a resource (i.e a client wants to execute a chaincode, or a peer wants to pull blocks) - then the certificate expiration of enrollment certificates is also checked by the server (peer/orderer).
来源:https://stackoverflow.com/questions/59525641/what-happens-when-certificates-got-renewed-in-hyperledger-fabric