Certificate Authority

What is a CA?

A blockchain network relies on a Public Key Infrastructure (PKI) for secured communication between the participants. The two most important parts of PKI are digital certificates and encryption keys (public and private). Therefore, PKI is also a collection of encryption keys and digital certificates where the encryption keys allow the users to sign their transactions digitally, and the digital certificates provide identity to those users on the network.
Being a permissioned network, every actor in the Hyperledger Fabric network needs a specific identity from an authorized entity. Furthermore, a user or entity can perform any activity in a network by authorizing their identity on that network. This process makes Hyperledger Fabric highly secure for enterprise use where confidentiality is paramount.
TLS inclusion establishes highly secure communications between two entities on a network.
Certificate Authority (CA) is responsible for issuing these certificates, both for identities and TLS communication. It issues digital certificates of the X.509 standard to the participants. You can see more information here.
For an identity to be verifiable, it must come from a trusted authority. A membership service provider (MSP) is that trusted authority in Hyperledger Fabric. The MSP identifies which CAs are accepted to define the members of a trust domain by listing their members' identities or by identifying which CAs are authorized to issue valid identities for their members. To know more about MSPs, please refer to this section.

Root and Intermediate CA

CAs come in two flavors: root CAs and intermediate CAs. A root CA contains a self-signed root certificate. Intermediate CAs have their certificates issued by the root CA or another intermediate authority. This leads to a chain of trust where each intermediate CA is authorized by either the root CA or another intermediate CA.
If an intermediate CA is compromised, only a small number of identities issued by that CA would be exposed. On the other hand, if the root CA is compromised, all network identities will be compromised. See more about the chain of trust.
Note: Current version of Catalyst Blockchain Platform supports root (or self-signed) CAs. Intermediate CA will be introduced in next releases.

How to Create a CA?

To create a full functioning within the network CA, you need to do the following:
  1. 1.
    Create a CA
  2. 2.
    Sign a CA (in case it is an intermediate CA)
  3. 3.
    Enroll an admin identity

Create a CA

To create a CA, go to the CA tab and click on the “Add CA” button to open a side window.
Add CA button
1. Provide a CA name (required).
2. Fill in the general information.
  • Choose a CA type (an intermediate CA option will be available in further releases).
  • Provide data for the CA admin registration: the CA admin ID and the password.
Note: You will need to provide the same CA admin credentials further when enrolling the CA admin.
3. Customize the CA details (you can use predefined values):
  • Choose Debug mode in the CA logs file if needed.
  • Enable TLS if required.
  • Choose the CA image.
Using a predefined image is recommended for compatibility issues. However, you can select your image if needed.
If you want to use an image from a private repository you should specify an imagePullSecret (a server name, your login, and your password). You need to specify a secret only once and then select the secret from a drop-down list.
You can create an imagePullSecret in your Kubernetes cluster and add the label "app.kubernetes.io/name": "image-pull-secret". After that, the secret will be available in the drop-down list.
Note that after removing your secret from the list Catalyst Blockchain Platform won't be able to use an image with this secret. In this case, you need to change the image/repository or create a new secret naming it the same.
  • Resources allocation:
    • Requested CPU. Guaranteed CPU resources that will be allocated.
    • CPU limit. Maximum CPU resources that will be allocated.
    • Requested memory (MB). Guaranteed amount of RAM that will be allocated.
    • Memory limit (MB). The maximum amount of RAM that can be allocated.
    • Storage size.
  • You can add custom environment variables if needed.
4. Customize a CSR (certificate signing request) or use predefined values.
  • Provide distinguished names (Country, Locality, Organization, Organizational Unit, and State or Province) if needed.
  • Customize path length value - A maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path.
  • Customize root CA expiry.
5. Customize signing options - These values define an expiry of certificates for intermediate CAs, identities, and TLS, which will be enrolled with the particular CA. You can use predefined values.
After clicking the “Save” button, the CA node will appear in the CAs list. You can check the node status and see the node’s events by clicking the status icon. Even though the node is up and running, you need to enroll the CA admin identity with the credentials you provided before during the CA creation. You can check the CA admin enrollment status by the “No CA admin” label. When no CA admin is enrolled, you cannot see and manage identities by the CA.
No CA admin label

Sign an Intermediate CA

Info: Intermediate CA functionality will be introduced in next releases.

Enroll an Admin Identity

To be able to operate identities with a particular CA, you need to enroll a CA admin identity, which was registered during the CA creation process:
  • Go to the CA page and click the “No CA admin” button on the particular CA. Or click on the particular CA, then click on the “Enroll CA admin” button.
  • Provide the same credentials (CA admin ID and password) as you entered during the CA creation process and submit the process.
After the successful enrollment of the CA admin identity, you will see and operate identities: register, enroll and delete identities.

CA Details

Under the CAs tab, you can view the existing CAs of your organization along with the following characteristics:
  • Name
  • Type (root/intermediate)
  • Certificates link
  • Link icon
  • The “No CA admin” label if the admin is not enrolled
  • Status
The CA node can exist in any of the following five states at any point in time:
  • Pending - A node is in the process of starting, or is awaiting the expansion of the Kubernetes cluster. Usually, when there are insufficient nodes to support the Hyperledger Fabric Blockchain Network, the Kubernetes cluster needs to expand, and the peers have to wait in the process.
  • Running - A node is successfully created and is ready to be used on the network.
  • Terminating - When the user initiates the process of removal of a node.
  • Failed - In case a node is unable to start due to some reason. It usually happens when the existing allocated resources have been exhausted, such as memory or storage.
  • Unknown - For some reason, a node’s status was not obtained.
If you click on any CA, you will see a new window where the details of that particular CA are displayed.
The details window is divided into five sections.

General information

In this section, you can view the details about the CA such as URL, certificates, signing options, etc.
CA details
Info: You can view a particular certificate by clicking on the link with the certificate date.
Here you can also see actions that can be performed on that CA:
  • Restart CA
  • Delete CA
  • Edit CA (you can change CA image, resource allocation, add/remove environment variables, modify signing options and enable/disable debug mode).

Variables

Here you can view and manage environment variables.
Environment variables

Identities

This section displays the list of all identities that a particular CA has issued on the network. You can also add a new identity here.
Identities
The information about these identities is displayed in the following columns:
  • ID.
  • Type - Displays all the identity’s attributes.
  • Alternative names - Displays subject alternative names listed in TLS certificates.
  • Certificates validity period.
  • Delete the identity icon - Deletes the identity.
Warning: Delete your identities carefully, especially if it is a CA admin identity in the wallet. If you delete your admin identity you will lose access to the CA’s identities management.
You can also add (register or/and enroll) a new identity under a particular CA in this section.
Info: You can view the identity certificate by clicking the particular validity value in the "Certificate" column.

Wallet

A wallet contains a CA admin identity that Catalyst Blockchain Platform uses to register and enroll identities by the particular CA within the network. You need a wallet identity for a CA to be fully functioning. This identity is automatically assigned to a wallet after enrolling.
Wallet
Info: Suppose you delete the CA admin identity from the wallet. In that case, you will not be able to operate identities until you enroll the admin identity as described above in the “Enroll an admin identity” section.
Note: You cannot add another identity to the wallet. Only that identity that was registered during the CA is added to the wallet automatically by Catalyst Blockchain Platform.

Events

This section displays events with a particular CA node.

How to Create an Identity?

The process of creating an identity consists of registering an identity and enrolling an identity. You can read more about registering and enrolling identities in the official Hyperledger Fabric documentation here.
While registering and enrolling of an identity is included in creating almost all entities in the network, there is an option to register or/and enroll an identity separately. For example, this option is needed to register the client application or register a CA admin identity for further enrolling on the business application side.
Tip: Suppose you want to register or/and enroll identities using Hyperledger Fabric SDK instead of Catalyst Blockchain Platform UI. In that case, you need first to register a CA admin identity using the UI and then enroll this identity on your business application side. You will register and enroll new identities with the particular CA using this CA admin identity.
You can also enroll an identity and then select this identity while creating a peer or ordering node instead of creating a new identity.
To register or/and enroll an identity, you should do the following:
  • Go to the CAs tab and click on CA, which you want to use for registering.
  • Go to the “Identities” tab.
  • Click on the “Add identity” button.
  • Provide the name and password for the identity.
  • Select a type of identity (client, peer, or orderer).
Note: Be sure you select an appropriate identity type to create an identity for a peer or an orderer.
  • Select “CA Admin” if you want an identity to operate the CA (register and enroll other identities).
  • Select “Enroll identity” if needed.
Add identity
Info: You can always enroll a registered identity later using the “Enroll identity” icon. You can see registered identities along with enrolled identities in the identities list. Registered identities have an “Enroll identity” icon and a disabled “Certificate” icon.