Certificate Rotation

Certificates are issued by Certificate Authorities to every participant. Each Certificate represents a member’s identity and every component in the network (whether it is a Peer, Orderer, etc.) must have an identity in order to communicate, authenticate and transact in the network. These certificates can be one of three types:

  • Signing Identity

  • TLS Identity

  • CA Identity

More information about Fabric certificates.

Why to rotate Certificates?

Certificate rotation refers to the practice of replacing the existing certificate with new ones. This is done when:

  • The certificate is about to expire.

  • A security breach has occurred, therefore a Certificate can no longer be trusted.

  • New constraints have to be applied.

  • A new Certificate Authority takes over

Certificate Renewal

It is recommended that you renew the certificates before they expire in order to avoid disruption of service, and each certificate must be issued targeting an expiration date by the corresponding Certificate Authority.

Enrollment and Reenrollment

Enrolling a certificate is the process by which members request CAs (Certificate Authorities) to provide them with a new certificate. To do this, a client creates a Certificate Signing Request, that is then signed by the Certificate Authority.

However, by Reenrolling participants are allowed to reuse an existing private key without the need of creating a new one. (This is especially important for orderer TLS certificates).

More information about Fabric Enrollment and Reenrollment

Certificate Revocation List

When a participant needs to verify another participant’s identity, they must be aware of whether that certificate is still valid and has not been revoked. To do so the CRL maintains a list of all the certificates that have been previously revoked and are no longer trusted by the network, so each time a participant is checked, it is first verified against the issuing Certificate Authority’s CRL.

Note: The CRL is also present in the channels where the Participant takes place in, therefore it must be in sync in order to maintain an operational network.

More Information about Fabric CRL

Certificate Revocation List

When a participant needs to verify another participant’s identity, they must be aware of whether that certificate is still valid and has not been revoked. To do so the CRL maintains a list of all the certificates that have been previously revoked and are no longer trusted by the network, so each time a participant is checked, it is first verified against the issuing Certificate Authority’s CRL.

Note: The CRL is also present in the channels where the Participant takes place in, therefore it must be in sync in order to maintain an operational network.

More Information about Fabric CRL The processes beneath certificate rotation are explained and some examples are illustrated in the following sections: