-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cfssl to generating certificates #1001
Conversation
Thanks for the contribution! Sorry I missed this one earlier... It looks really good. Could you also update the network.sh help to mention the new flag? |
Thanks @denyeart , I have updated the help message |
"hosts": [ | ||
"{USER}", | ||
"localhost", | ||
"127.0.0.1", | ||
"0.0.0.0" | ||
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just realized that you generate a single certificate and use it for both the MSP enrollment cert (e.g. role 'admin' above) and the TLS cert (hosts defined for tls cert SAN here).
While this will technically work, it is not a good practice, production environments should have separate certs for msp and tls. And while the samples here are not expected to be used in production environments, the samples are intended to be an educational resource and there is a lot of confusion about proper use of certificates.
I'd suggest to split the certificates to make their usage more clear - have one msp enrollment cert with the OU role defined, and a seprate tls cert with the hosts SAN entries.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Certs will be different as we are generating MSP and TLS certs with different profiles, we have two profiles (sign and tls) that governs if the certificates are for signing or TLS purpose.
@denyeart thoughts? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, sorry for the delay... I've finally confirmed the certificate generation works when bringing up test-network. And I confirmed that the msp and tls certificates are indeed different.
We may want to remove the SANS "hosts" for the msp certificates, they are unnecessary and may confuse people, but if that is difficult we could skip it.
Overall this is a really great enhancement, many people have had the question of how to bring your own CA and this sample extension will really help.
This is probably good enough to merge as-is, but could you double check the names of all the files relative to the prior generation methods. I found at least one file that is named different that causes the test network tutorial to not work, there may be some others.
Also I found one other typo.
cp "$CERT_DIR/ca/ca.pem" "$CERT_DIR/tlsca/tlsca.example.com-cert.pem" | ||
|
||
cp "$CERT_DIR/ca/ca.pem" "$CERT_DIR/msp/cacerts/" | ||
cp "$CERT_DIR/ca/ca.pem" "$CERT_DIR/msp/tlscacerts/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be called tlsca.example.com-cert.pem for the test-network instructions to work, e.g.
https://hyperledger-fabric.readthedocs.io/en/latest/test_network.html
peer chaincode invoke -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com --tls --cafile "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem" -C mychannel -n basic --peerAddresses localhost:7051 --tlsRootCertFiles "${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt" --peerAddresses localhost:9051 --tlsRootCertFiles "${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt" -c '{"function":"InitLedger","Args":[]}'
cfssl gencert \ | ||
-ca="$CERT_DIR/ca/ca.pem" \ | ||
-ca-key="$CERT_DIR/ca/ca-key.pem" \ | ||
-config="$PWD/organizations/cfssl/cert-signing-config.jso"n \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somehow the generation worked even with this typo, but I assume it needs to be fixed.
@adityajoshi12 could you address these remaining issues? |
Sure, I will update my PR |
Also, the PR will need to be rebased against latest main. |
Signed-off-by: Aditya Joshi <[email protected]>
Signed-off-by: Aditya Joshi <[email protected]>
c8d9b04
to
d5ef0ae
Compare
@denyeart update the PR |
@denyeart it is rebased against the head of main |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, it works well now!
This PR adds a new example to support pluggable CA in hyperledger fabric. Current examples in the
fabric-samples
provide two implementations for cert generation i.ecryptogen
andfabric-ca
.This PR will help the developers to understand more about bring your own identity. These changesets will allow developers to generate certificates using the cfssl tool, which is an opensource tool by cloudflare for cert management.
Generate certs using cfssl