I am using fabric-sdk-nodejs to enroll the user it works fine, but all the private key and msp will be created using fabric CA.
my questions
How i can generate keypair for offline user and then generate the certificate using fabric CA for particular organisation?
Is it possible to create keypair offline, which keypair generation is supported or fabric has own offline keypair generation?
In production environment we cannot keep the user keypair, so how generation of keypair flow works?
The way you are trying to do is wrong
generation of private key and certificate is a multi-step procedure
When you try to create a keypair(private key & certificate) root-ca or intermediate-ca has to sign it then only it will be valid, this is called signing by using the concept of PKI
Fabric supports x509 certificate & ecdsa private key, you can generate root-ca certificate and sign certs outside.
Coming to your question about security of user credentials: you can always use fabric-ca to generate the sign certs and you have three options
store in the server as file-storage
store it in couchdb as key-value store
store it in hardware using hsm or so
Related
what i see from the hyper-ledger fabric CA setup and user registration is that, when i enroll the user the private key is generated on the server side with certificate after which CA will sign the user will get certificate with private key. Generating user private key on server side is security issue. Is there way so i can create the private key offline and generate certificate. Correct me if i am wrong
The private key is generated by the client instead of the CA. When the enrollment is called by the client (either the Hyperledger Fabric SDK or the fabric-ca-client client command), it will automatically:
Generate the key pair of private key and public key.
Use the key pair to generate a certificate signing request (CSR).
Send the CSR, enrollment ID, enrollment secret and other attributes to the CA to enroll the secret.
The CA will then return a signed certificate to the client.
As the private key is generated and stored by the client, there is no such security issue for leaking the private key by signing the certificate online.
You may take a look at the official document of Hyperledger Fabric and the Wikipedia about PKI for the detail process of the certificate signing.
Hello I have a Hyperledger Network blockchain network running with 5 organization. If one of the private key of the organization gets compromised what are the steps or methods available to revoke the private key. Are there any mechanisms in Fabric where we can generate new set of key pair for the same organization .
you can generate new set of key pair from your CA for your organization and then you should update the config block. you can take a look at this article to understand the idea.
You can generate the new certificate and private key pair from the Certificate authority and pass it to the configuration. In the meantime, you can add previous the certificate in the Certificate revocation list.
In Hyperledger Fabric when identity is issued the certificate and Key is shared by the admin unlike in multichain where the user receives the key as response and it is not shared with anyone not even admin.
Is it possible in some way in Fabric? If not then Hyperledger is not decentralized it is only distributed.
It is possible. An admin registers a new user by the certificate authority and gets a "secret" back.
This secret is then used by the client to enroll directly by the certificate authority and get his own key/certs, with nobody in between.
What exactly is difference between enrolling and registering a certificate in Hyperledger Fabric CA. I am new to cryptography and i am really confused about the working of Fabric CA. Also how are certificates generated via cryptogen is diffrent from certificates generated via Fabric CA.
So from what i understand when you "enrol" an identity you get the certificates and private keys for it. When you "register" the identity, you are simply creating the user name and password for that identity with the CA server.
The certificates that the cryptogen tool generate are not any different to the ones generated by the Fabric CA, the cryptogen tool is there for convenience in development. It should not be used in a live / production environment. Under the hood the cryptogen tool actually spins up a fabric ca server locally.
Here is a link to the latest documentation for Fabric CA:
https://hyperledger-fabric-ca.readthedocs.io/en/latest/
"Registration" is done by the CA admin. A username and password is assigned to an identity, along with attributes (will the identity be an admin or a node, for example?). This registration places the username and password, along with the relevant other information about the identity, in the database of the CA. No certificates have been generated at this point. The identity has simply been registered.
"Enrollment" is the process where certificates are created and given to the user of the identity. The username and password is given to this user out of band, and they use the name and password as part of a fabric-ca-client call to the CA. The public and private keys --- encoded with the relevant attributes registered with the CA --- are then generated.
The reason for the separate between registration and enrollment is to ensure that only the user of an identity receives their private key.
The certificates created by a CA are identical to those created by cryptogen --- an x.509 certificate is an x.509 certificate --- but cryptogen is a tool for quickly creating certs in a test environment, not a true method for creating certificates for anything resembling production.
Registering identity means adding its details in Fabric CA.
Enrolling means process when registered identity connects to CA and sends Certificate Signing Request (CSR) to it. CA checks if the identity is registered and performs some other validations, if checks are successful then it returns signed certificate to the identity. Since the certificate is signed by CA trusted by blockchain network, the identity has now means to interact with the network using this certificate.
So, to make the identity being able to interact with the network it must pass two steps in this particular sequence:
Be registered on CA
Be enrolled
Admin is preregistered in CA using when it is started
fabric-ca-server start -b admin:adminpw
The details are here:
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html
also you can refer to source
The concept of first register(Saving username,password and other attributes in CA's DB) then registered identity can enroll to get certificates is the same in the latest version of Fabric CA as it was previously.
Refer to the latest link:
https://hyperledger-fabric.readthedocs.io/en/latest/deployment_guide_overview.html#step-four-use-the-ca-to-create-identities-and-msps
"Register and enroll an admin identity and create an MSP. After the CA that will be associated with an organization has been created, it can be used to first register a user and then enroll an identity (producing the certificate pair used by all entities on the network). In the first step, a username and password for the identity is assigned by the admin of the CA."
I am not a professional with certificates, however, I am trying to understand how to get this working with Azure Key Vault.
Use case: I have a website having a SSL certificate signed by a CA. (Not supported by Azure Key Vault)
I want to have that root certificate in my key vault and generate client certificates as needed for our customers. (They need to be able to validate that the certificate they retrieved, came from our Root Certificate).
My questions:
1 - Am I correct when assuming the following:
I can generate a certificate with the Azure key vault, export the CSR, and get the CSR signed by my CA. Importing the output file provided by my CA, will result in having the correct root certificate stored in the Key Vault.
2 - To generate client certificates, I need to repeat the process described in question 1, however, I do not need to get signed by the CA, but rather by my new certificate that was created above? This way, I can create many client certificates in a secure way.