Hyperledger Fabric cryptographic material confusion

问题

Background

I have some difficulties in understanding the generation of cryptographic materials in Hyperledger Fabric. I noticed there is a similar question, Hyperledger fabric Crypto materials, and I have asked this question Questions on hyperledger fabric MSP setting before. but I still have lots of confusion.

I followed the example, Building Your First Network, I noticed that using cryptogen tool and consume that crypto-config.yaml. It generates the keys and certs for the orderers and organizations.

For example, in the side the directory of crypto-config/peerOrganizations/org1.example.com/, which has two peers and one user, it has the following structure

|-- ca
|-- msp
|   |-- admincerts
|   |-- cacerts
|   `-- tlsacerts
|-- peers
|   |-- peer0.org1.example.com
|   |   |-- msp
|   |   |   |-- admincerts
|   |   |   |-- cacerts
|   |   |   |-- keystore
|   |   |   |-- signcerts
|   |   |   `-- tlscacerts
|   |   `-- tls
|   `-- peer1.org1.example.com
|       |-- msp
|       |   |-- admincerts
|       |   |-- cacerts
|       |   |-- keystore
|       |   |-- signcerts
|       |   `-- tlscacerts
|       `-- tls
|-- tlsca
|-- users
    |-- Admin@org1.example.com
    |   |-- msp
    |   |   |-- admincerts
    |   |   |-- cacerts
    |   |   |-- keystore
    |   |   |-- signcerts
    |   |   `-- tlscacerts
    |   `-- tls
    `-- User1@org1.example.com
        |-- msp
        |   |-- admincerts
        |   |-- cacerts
        |   |-- keystore
        |   |-- signcerts
        |   `-- tlscacerts
        `-- tls

Below are my understanding and confusion that needs clarification

1. Files under peers are identities for that particular peer node (part of the blockchain network), while the files under users are the identities for the end user (i.e. clients?). Am I correct?

2. For the files under peer#@org1.example.com:

   • keystore (private key) is used to sign a transaction when the end user invoke a transaction (e.g. using the command peer invoke ....). Is the private key also used for endorsement?
   • signcerts (public key) is used to verify the endorsed transaction identity by orderers and committers. So, the public key shall distribute to all peers and orderers, but how?
   • What are the purpose of admincerts, cacerts, tlscacerts, and tls? And why tls is not under msp? Perhaps I do not have a good understanding of MSP

3. Similar to point 2 above, what is the purpose of keys and certs under users? Are they used only for logging in to the blockchain? Or would they be used for signing the transaction as well? and Perhaps use for accessing part of the blockchain (private data and access control?)

4. Moreover, I also noticed that admincerts under peer0.org1.example.com, peer1.org1.example.com and Admin@org1.example.com are the same. But they are different from the admincerts of User1@org1.example.com. That leads me to question why User1 needs the admincerts?

5. At the most upper layer (not beloging to peers and users), we still have three directories: ca, msp, and tlsa. What are their purpose? It seems that these keys and certs belong to no one. And cryptogen is said to have no CA, why there is still a ca here?

Thanks!

来源：https://stackoverflow.com/questions/53201205/hyperledger-fabric-cryptographic-material-confusion