Hyperledger Fabric Certificate Authority(CA) Client

Reading Time: 3 minutes

In the previous blog, we discussed about Fabric Certificate Authority(CA) Architecture, Initializing Fabric Certificate Authority Server and Configuring the database. Now, we will discuss how to use fabric-ca-client command. We can interact with Fabric-CA Server via Fabric-CA Client and there can be multiple Fabric-CA Intermediate Servers. Each Intermediate Fabric-CA server can be configured Fabric-CA server cluster.

So, to start Fabric-CA-Client we need to start the Fabric-CA-Server first. Lets get some flashback How to start Fabric-CA-Server. Remember to navigate to GOPATH/bin where Fabric-CA-Server and Fabric-CA-Client being installed after running the command mentioned in the previous blog.

fabric-ca-server start -b admin:adminpw

We have started the Fabric Certificate Authority CA-Server. Now, export some necessary configurations needed to enroll the identity Successfully.

export CORE_PEER_ID=peer0.org1.example.com
export CORE_LOGGING_PEER=debug
export CORE_PEER_MSPCONFIGPATH=/Path/to/fabric-samples/basic-network/crypto-config/peerOrganizations/org1.example.com/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051

Enrolling the bootstrap identity

Now, run fabric-ca-client enroll command to enroll the identity. For example, following command enrolls an identity whose ID is admin and password is adminpw by calling Fabric CA server that is running locally at 7054 port.

fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

The enroll command stores an enrollment certificate (ECert), corresponding private key and CA certificate chain PEM files in the subdirectories of the Fabric CA client’s msp directory. You can even configure identity ID and password in the fabric-ca-server-config.yaml file.

Fabric Certificate Authority

After enrolling the identity certificates information get stored in SQLite database that Fabric uses is by default. You can configure Fabric CA server to connect to PostgreSQL or MySQL databases. Schema for certificates table is shown below:-


Registering a new identity

The identity performing the register request must be currently enrolled, and must also have the proper authority to register the type of the identity that is being registered. If the invoker’s identity has the hf.Registrar.Roles attribute with a value of peer, app, user, the invoker can register identities of type peer, app and user.

fabric-ca-client register --id.name admin1 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert' --id.type user

The command above uses the admin identity’s credentials to register a new user with an enrollment id of “admin1”, an affiliation of “org1.department1”, an attribute named “hf.Revoker” with a value of “true”, and an attribute named “admin” with a value of “true”. The “:ecert” suffix means that by default the “admin” attribute and its value will be inserted into the user’s enrollment certificate, which can then be used to make access control decisions.

Registering a new identity will print the password, also known as the enrollment secret. This password is required to enroll the identity.


Enrolling a peer identity

Now that you have successfully registered a peer identity, you may now enroll the peer given the enrollment ID and secret (i.e. the password from the previous section).

fabric-ca-client enroll -u http://peer1:<password>@localhost:7054

That’s it!! We are done with enrolling and registering our identity with the Server.

I hope you liked the blog. Happy Coding !! 🙂


Hyperledger Official Documentation



Written by 

Charmy is a Software Consultant having experience of more than 1.5 years. She is familiar with Object Oriented Programming Paradigms and has familiarity with Technical languages such as Scala, Lagom, Java, Apache Solr, Apache Spark, Apache Kafka, Apigee. She is always eager to learn new concepts in order to expand her horizon. Her hobbies include playing guitar and Sketching.

2 thoughts on “Hyperledger Fabric Certificate Authority(CA) Client3 min read

Comments are closed.