Difference between users created through cryptogen and enrolled through Fabric CA Server

Question

While doing Hyperledger fabric setup, we create crypto material and mention users for organizations and and correspondingly user crypto material gets generated which is used to invoke chaincode while logging through CLI. Also, when we try to connect network through SDK we also need to enroll and register user to connect to network. So, what is the difference between these two users?

Answer 1

Cryptogen utility used for generating Hyperledger Fabric key material is mainly meant to be used for testing environment only.

It generates the CA certificate before the Fabric CA Server is up. {This won't be the case in production env.}

This certificate is mounted to fabric-ca in docker-compose.yaml file. This is done via volumes keyword as in the below snippet:

ca.example.com: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca.example.com - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca.example.com networks: - basic

The command 'fabric-ca-server start -b admin:adminpw -d' in above script registers a bootstrap identity. This bootstrap identity is used by the application to enroll the 'admin' user. During this enrollment, fabric-ca-server gives the app a ecert, users private key and cacert chain PEM files.

From the above reference, the users certs generated by cryptogen and via application will be issued using the same root CA Cert.

When using CLI to execute commands such install chaincode, instantiate chaincode etc. you will be using the user certs generated by the cryptogen as these are mounted into the corresponding peer. Again refer to the volumes section of peer in docker-compose.yaml for this:

volumes:
        - /var/run/:/host/var/run/
        - ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/msp/peer
        - ./crypto-config/peerOrganizations/org1.example.com/users:/etc/hyperledger/msp/users
        - ./config:/etc/hyperledger/configtx