Orderer Rotation

The rotation of Orderer Certificates is split into two scenarios:

1 - Orderer certificates

Navigate to the CA section on the left panel of your dashboard and select your CA. Under the Identities tab, select the identity of the orderer that you desire to rotate. Click on Enroll/Reenroll as shown in the image below.

Certificates list
Figure 1. Certificates list

2 - TLS Identity Certificates

The TLS identities are in fact persisted in the ledger. If we simply tried to rotate the certificate following the standard approach, it would just fail. The reason for that is that the certificates in the channels (Both system and application channels) must match with the ones at Orderer/ Consenter nodes, otherwise Catalyst Blockchain Manager throws a Constenter error as a prevention mechanism.

To find these certificates, navigate to the Channels section on the left panel of your dashboard, select your channel and scroll down to the Consenters section in the Ordering tab.

Channels
Figure 2. Channels
Please notice that when performing Orderer certificates rotation there must be quorum ensured and the network should remain healthy in order to avoid losing voting majority which would lead to Fabric rejecting the actions
Certificates list
Figure 3. Certificates list

Check the TLS box, and select the Type as orderer and the Orderer Id from the list:

tls box
Figure 4. TLS box

Catalyst Blockchain Manager deals with this is by throwing away the old certificates and then placing the new ones. However this won’t be enough as the new certificate won’t match the one used in each channel.

The Orderer must be restarted so updates can take place. To do so, navigate to the Orderer section on the left panel of your dashboard and select your Orderer. You can then restart the orderer as shown bellow.

Restart Orderer
Figure 5. Restart Orderer

Once the Orderer is fully restarted, the certificate has to be updated in every channel so your local certificate and the ones used by the channels match, starting by the System Chanel as this is where the network configurations are stored.

Navigate to your system Channel on the Left panel of your dashboard, select your Orderer and navigate to System Channel.

System channel
Figure 6. System channel

Once in the system channel section, select the ordering tab and scroll down to the Consenters section.

In the list of consenters there must be an alert being shown for your newly updated order. In order to Sync, execute the Synch Certificates option.

Sync certificates
Figure 7. Sync certificates

As soon as the System Channel has updated the certificate, its now time to update each of the Application Channels:

Navigate to the channel that needs to be updated: On the Left panel of your dashboard Channels and select you Channel

On Application channel section, select the ordering tab and scroll down to the Consenters section.

In the list of consenters there must be an alert being shown for your newly updated order. In order to Sync, execute the Sync Certificates action.

Sync certificates on Application channel
Figure 8. Sync certificates on Application channel
Repeat this process for every channel in which this Orderer is operating on.