Hyperledger Fabric Certificate Authority(CA)

Every operation in Hyperledger must be signed cryptographically with certificates. You can generate certificates yourself using OpenSSL or by using third party. Before moving further into details of CA lets first explore Hyperledger Fabric a little. 😉

Hyperledger Fabric

Hyperledger Fabric founded in 2015 which is an umbrella for open source projects some of which are Blockchain Distributed Ledger Frameworks such as Fabric, Sawtooth and Iroha. Hyperledger Fabric is a permissioned blockchain, means that parties that join the network are authenticated to participate on network. It reduces security risks and display records to only to the parties involved. It provides:

• Data Privacy
• Information Sharing
• Immutability

That was a concise description about Hyperledger Fabric. Now, lets explore importance of Hyperledger Fabric CA.

Fabric Certificate Authority (CA)

Fabric CA is a tool through which you can generate certificates. Let say you have 10 users then, 10 certificates get generated for 10 users. You can add additional information called as attributes in certificates. So this information is propagated to the system. Chaincodes (Smart Contracts in Blockchain) can read this data and perform different operations As this information is within certificates you can’t modify it which makes process secure.

You can generate certificates by specifying the username, password and affiliations which is called as Enrollment. With these certificates you have to sign each and every request. Some data of the certificates will be stored inside the ledger through which you can know who actually execute the operation.

Fabric CA Architecture

From the tree like structured diagram you can see that Fabric-CA root Server is the root node of the entire tree. You can interact with Fabric-CA Server via Fabric-CA Client or through one of the Fabric SDKs. There can be multiple Fabric-CA Intermediate Servers. Each Intermediate Fabric-CA server in the figure can be configured Fabric-CA server cluster. The client routes to an HA Proxy endpoint which load balances traffic to one of the fabric-ca-server cluster members. All Hyperledger Fabric CA servers in a cluster share the same database for keeping track of identities and certificates.

Lets start with some Prerequisites before starting the CA server.

Prerequisites

• The Hyperledger Fabric Project uses Go Langauge thus, GO 1.9+ must be installed.
• Correct configuration for GOPATH environment variable must be set after cloning Fabric-CA project.

export GOPATH=/Path/to/fabric_ca

go get -u github.com/hyperledger/fabric-ca/cmd/...

Initializing Fabric-CA Server

You can start with initializing Fabric CA Server. This provides an opportunity for you to generate a default configuration file that can be reviewed and customized before starting the server.

fabric-ca-server init -b admin:adminpw

Here, -b specifies the name and password for a bootstrap identity. The fabric-ca-server init command generates a default configuration file named fabric-ca-server-config.yaml in the server’s home directory.

Starting the Fabric-CA Server

If earlier the Fabric-CA server is not initialized, it will initialize itself when started for the first time that will generate the ca-cert.pem and ca-key.pem files.

fabric-ca-server start -b admin:adminpw

Now, the Fabric CA server should be up and running listening on port 7054.

Configuring the database

By default the database that Fabric uses is SQLite. You can configure Fabric CA server to connect to PostgreSQL or MySQL databases. Open default database file fabric-ca-server-config.yaml in the Fabric CA server’s home directory and modify the db for:

• PostgreSQL

db:
 type: postgres
 datasource: host=localhost port=5432 user=<Username> password=<Password> dbname=fabric_ca sslmode=require

• MySQL

db:
  type: mysql
  datasource: root:rootpw@tcp(localhost:3306)/fabric_ca?parseTime=true&tls=custom