Certificate Authority

What is a CA?

A blockchain network relies on a Public Key Infrastructure (PKI) for secured communication between the participants. The two most important parts of PKI are digital certificates and encryption keys (public and private). Therefore, PKI is also a collection of encryption keys and digital certificates where the encryption keys allow the users to sign their transactions digitally, and the digital certificates provide identity to those users on the network.

Being a permissioned network, every actor in the Hyperledger Fabric network needs a specific identity from an authorized entity. Furthermore, a user or entity can perform any activity in a network by authorizing their identity on that network. This process makes Hyperledger Fabric highly secure for enterprise use where confidentiality is paramount.

TLS inclusion establishes highly secure communications between two entities on a network.

Certificate Authority (CA) is responsible for issuing these certificates, both for identities and TLS communication. It issues digital certificates of the X.509 standard to the participants. You can see more information here.

For an identity to be verifiable, it must come from a trusted authority. A membership service provider (MSP) is that trusted authority in Fabric. The MSP identifies which CAs are accepted to define the members of a trust domain by listing their members' identities or by identifying which CAs are authorized to issue valid identities for their members. To know more about MSPs, please refer to this section.

Root and Intermediate CA

CAs come in two flavors: root CAs and intermediate CAs. A root CA contains a self-signed root certificate. Intermediate CAs have their certificates issued by the root CA or another intermediate authority. This leads to a chain of trust where each intermediate CA is authorized by either the root CA or another intermediate CA.

If an intermediate CA is compromised, only a small number of identities issued by that CA would be exposed. On the other hand, if the root CA is compromised, all network identities will be compromised. See more about the chain of trust.

Note: Current version of Catalyst Blockchain Platform supports root (or self-signed) CAs. Intermediate CA will be introduced in next releases.

How to Create a CA?

To create a full functioning within the network CA, you need to do the following:

  1. Create a CA

  2. Sign a CA (in case it is an intermediate CA)

  3. Enroll an admin identity

Create a CA

To create a root CA or an intermediate CA, go to the CA tab and click on the “Add new CA” button represented with a plus sign to open a side window.

1. You have to mention the following fields. Whether you are creating a root CA or an intermediate CA, these fields are common for both.

  • CA name

Note: CA name cannot start with a number and should contain only lowercase letters.

  • Admin identity

  • Password

Note: All fields are mandatory.

Then you have to select which type of CA you want to add. On selecting root CA, the following details are available to be filled:

  • CommonName(CN)

  • LocalityName(L)

  • StateOrprovinceName(ST)

  • OrganizationName(0)

  • OrganizationalUnitName(OU)

  • CountryName

2. This page requires somewhat technical details related to the CA configuration. If you are not familiar with the fields required on this page, you can either read about them in the official Hyperledger documentation or proceed with the default values that our engineers have provided.

The required fields are:

  • Pathlength value. A maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path.

Note: The option is available for root CA only.

  • Choose TLS enabled if required.

  • Choose the image version (currently only V1.5 is available).

  • Choose Debug mode in the CA logs file if needed.

  • Resources allocation:

    • Requested CPU. Guaranteed CPU resource that will be allocated.

    • CPU limit. Maximum CPU resource that will be allocated.

    • Requested memory (MB). Guaranteed amount of RAM that will be allocated.

    • Memory limit (MB). The maximum amount of RAM that can be allocated.

    • Storage size.

  • You can also add custom environment variables.

3. This page allows you to customize signing options, which define an expiry of certificates for root CA, intermediate CA, identities, and TLS, and fill up distinguished names.

4. This page displays all the details entered in the previous steps. You can confirm the details to create your root CA or go back if you have to re-enter some details.

Sign an Intermediate CA

Intermediate CA functionality will be introduced in next releases.

Enroll an Admin Identity

To be able to operate identities with a particular CA, you need to enroll a CA admin identity, which was registered during the CA creation process:

  • Go to the CA page.

  • Click on the particular CA.

  • Click on the “No CA Admin” button.

  • Provide the same credentials (CA admin ID and password) as you entered during the CA creation process and submit the process.

After the successful enrollment of the CA admin identity, you will see and operate identities: register, enroll and delete identities.

Admin identity will be displayed both in the Wallet and the Identities lists and at the Identities tab on the CA details page.

Info: Wallet contains all CA admin identities that Catalyst Blockchain Platform uses to register and enroll identities by the particular CA within the network. You need at least one wallet identity for the CA to be fully functioning.

CA Details

Under the CAs tab, you can view the existing CAs of your organization. All of these CAs are displayed in a tabular form with the following columns representing individual characteristics:

  • Name

  • Status

  • Type (root/intermediate)

Note: Only root type is available in the current release.

  • OUs (organizational units)

  • Certificates icon

  • Link icon

If you click on any CA, you will see a new window where the details of that particular CA are displayed.

The details window is divided into five sections.

In the first section, you can view all of the information listed in the CA’s card (just as in the previous section) along with the admin identity id and pathlength value.

The second section provides some actions that can be performed on that CA. These are:

  • Restart

  • Remove

  • Update CA (you can change resource allocation, add/remove environment variables, modify signing options and enable/disable debug mode)

The third is the Environment variables section, where you can view all of the resources allocated to the CA along with its environment variables, signing options and other details.

The fourth section displays the list of all identities that a particular CA has issued on the network, and CA admin identities in the wallet.

Info: Wallet contains all CA admin identities that Catalyst Blockchain Platform uses to register and enroll identities by the particular CA within the network. You need at least one wallet identity for the CA to be fully functioning.

The information about these identities is displayed in the following columns:

  • Name

  • Alternative names: displays subject alternative names listed in TLS certificates.

  • Validity period

  • Certificates icon

  • Remove the identity icon

Warning: Delete your identities carefully, especially if it is an identity in the Wallet.

Suppose you delete the CA admin identity from the Wallet. In that case, you will not be able to operate identities until you enroll the admin identity as described above in the “Enroll an admin identity” section.

You can also add (register or/and enroll) a new identity under a particular CA in this section.

Note: The Catalyst Blockchain Platform does not save passwords for your identities. Therefore, we recommend saving the passwords properly and securely. If you forget your password, you will need to register and enroll new identities.

The fifth section displays events with a particular CA’s node.

How to Create an Identity?

The process of creating an identity consists of registering an identity and enrolling an identity. You can read more about registering and enrolling identities in the official Hyperledger Fabric documentation here.

While registering and enrolling of an identity is included in creating almost all entities in the network, there is an option to register or/and enroll an identity separately. For example, this option is needed to register the client application or register a CA admin identity for further enrolling on the business application side.

Tip: Suppose you want to register or/and enroll identities using Hyperledger Fabric SDK instead of Catalyst Blockchain Platform UI. In that case, you need first to register a CA admin identity using the UI and then enroll this identity on your business application side. You will register and enroll new identities with the particular CA using this CA admin identity.

You can also enroll an identity and then select this identity while creating a peer or ordering node instead of creating a new identity.

To register or/and enroll an identity, you should do the following:

  • Go to the CAs tab and click on CA, which you want to use for registering.

  • Go to the “Identities” tab.

  • Click on the “Add identity” button.

  • Provide the name and password for the identity.

  • Select a type of identity (client, peer, or orderer).

Note: Be sure you select an appropriate identity to create an identity for a peer or an orderer.

  • Select “CA Admin” if you want an identity to operate the CA (register and enroll other identities).

  • Select “Enroll identity” if needed.

Tip: You can always enroll a registered identity later using the “Enroll identity” icon.

Tip: You can see registered identities along with enrolled identities in the identities list. Registered identities have an “Enroll identity” icon and a disabled “Certificate” icon.

To enroll another CA admin identity (wallet identity):

  • Go to the CAs tab and click on CA, which you want to use for registering.

  • Go to the “Identities” tab.

  • Click on the “Add identity” button.

  • Provide the name and password for the identity and submit by clicking on the “Register&Enroll” button.

Info: Wallet contains all CA admin identities that Catalyst Blockchain Platform is using to register and enroll identities by the particular CA within the network. Tip: You can enroll as many wallet identities as needed, but one wallet identity is usually enough for the CA to work properly.

Tip: You can enroll as many wallet identities as needed, but one wallet identity is usually enough for the CA to work properly.