In the previous blog, we discussed about Fabric Certificate Authority(CA) Architecture, Initializing Fabric Certificate Authority Server and Configuring the database. Now, we will discuss how to use fabric-ca-client command. We can interact with Fabric-CA Server via Fabric-CA Client and there can be multiple Fabric-CA Intermediate Servers. Each Intermediate Fabric-CA server can be configured Fabric-CA server cluster.
So, to start Fabric-CA-Client we need to start the Fabric-CA-Server first. Lets get some flashback How to start Fabric-CA-Server. Remember to navigate to
GOPATH/bin where Fabric-CA-Server and Fabric-CA-Client being installed after running the command mentioned in the previous blog.
fabric-ca-server start -b admin:adminpw
We have started the Fabric Certificate Authority CA-Server. Now, export some necessary configurations needed to enroll the identity Successfully.
export CORE_PEER_ID=peer0.org1.example.com export CORE_LOGGING_PEER=debug export CORE_CHAINCODE_LOGGING_LEVEL=DEBUG export CORE_PEER_LOCALMSPID=Org1MSP export CORE_PEER_MSPCONFIGPATH=/Path/to/fabric-samples/basic-network/crypto-config/peerOrganizations/org1.example.com/msp export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
Enrolling the bootstrap identity
fabric-ca-client enroll command to enroll the identity. For example, following command enrolls an identity whose ID is admin and password is adminpw by calling Fabric CA server that is running locally at 7054 port.
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
The enroll command stores an enrollment certificate (ECert), corresponding private key and CA certificate chain PEM files in the subdirectories of the Fabric CA client’s
msp directory. You can even configure identity ID and password in the fabric-ca-server-config.yaml file.
After enrolling the identity certificates information get stored in SQLite database that Fabric uses is by default. You can configure Fabric CA server to connect to PostgreSQL or MySQL databases. Schema for certificates table is shown below:-
Registering a new identity
The identity performing the register request must be currently enrolled, and must also have the proper authority to register the type of the identity that is being registered. If the invoker’s identity has the hf.Registrar.Roles attribute with a value of peer, app, user, the invoker can register identities of type peer, app and user.
fabric-ca-client register --id.name admin1 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert' --id.type user
The command above uses the admin identity’s credentials to register a new user with an enrollment id of “admin1”, an affiliation of “org1.department1”, an attribute named “hf.Revoker” with a value of “true”, and an attribute named “admin” with a value of “true”. The “:ecert” suffix means that by default the “admin” attribute and its value will be inserted into the user’s enrollment certificate, which can then be used to make access control decisions.
Registering a new identity will print the password, also known as the enrollment secret. This password is required to enroll the identity.
Enrolling a peer identity
Now that you have successfully registered a peer identity, you may now enroll the peer given the enrollment ID and secret (i.e. the password from the previous section).
fabric-ca-client enroll -u http://peer1:<password>@localhost:7054
That’s it!! We are done with enrolling and registering our identity with the Server.
I hope you liked the blog. Happy Coding !! 🙂