问题
Hello I am tryin to use hyperledger fabric for a block chain implementation. I did the first-network demo and found lot of certificates in it. I have tried arranging them hierarchically in below picture.
I Have some questions related to them
- Why are all these different categories of certs required. Like different msp tls are they generated once and copied at different locations?
- How these different certificates will be used in different scenarios (like enrollment and communication.)
- If we dont use cryptogen then can some third party generate all these certificates.
- How can fabric-ca or any other third party CA help here.
TIA.
回答1:
First of all thanks for creating the tree for the same.
I am a beginner in the hyperledger but what i understand from the hyperledger document that each Organization requires a unique root certificate (ca-cert), that binds specific components (peers and orderers) to that organization. Transactions and communications within Fabric are signed by an entity's private key (keystore), and then verified by means of a public key (signcerts).
As different organization also required to communicate or share their ledger so there is need of CA or MSP on organization level. Within each organization we can have multiple peers so we need certification for these peers too. Even peers from different organizations can join each other so signcerts(for authenticating) and TLScerts(for a secure handshake).
To have a look how these are generate i suggest you to Manually generate the artifacts
http://hyperledger-fabric.readthedocs.io/en/latest/build_network.html
and see the different certs in the folders inside as you created them.
回答2:
When you generate certificates of an org using cryptogen, you will see
├── ca
├── msp
├── peers
├── tlsca
└── users
Let me explain one by one CA: contains CA certificate & private key tlsca contains CA certificate & private key(TLS Version) MSP: This is organization MSP we need this to generate genesis block
Organizations:
- &nbd
Name: nbd
ID: nbdMSP
MSPDir: crypto-config/peerOrganizations/nbd/msp
AnchorPeers:
- Host: nbd-peer1-nbd
Port: 7051
Peers: Peers contains two directories
├── msp
└── tls
Checking MSP of peer...
├── admincerts
├── cacerts
├── keystore
├── signcerts
└── tlscacerts
admincerts: This is peer msp, which is different to organization MSP, Every peer can have admin certs which is used to allow admin privilage user to issue admin level transactions cacerts: Trusted root CA cert keystore: Private key of the peer signcerts: signcert of peer cert tlscacerts:Trusted root CA cert (TLS Version)
----Same for orderers also----
Users
├── Admin@nbd
└── User1@nbd
----Same for users also----
回答3:
During the setup of your Blockchain network, we need a variety of certificates which we can focus on CA(Certified Authority)like MSP configuration of Blockchain network I personally used CA for my IBM Hyperledger application
回答4:
Just in case you still have doubts, your post is a bit old and you may have already answered your inquiries.
- Why are all these different categories of certs required. Like different msp tls are they generated once and copied at different locations?
R/ I think the part on why all these certs are required, @kots got it pretty much covered. To the second part of your question, the reason there are so many crypto objects copied is that in a production environment you are supposed to have every container separated. So the folder you mount them should contain all the objects required for communication and authorization. There should not be a central folder containing just a copy of the files.
- How these different certificates will be used in different scenarios (like enrollment and communication.)
R/ They pass through a bunch of security mechanisms such as channels, MSPs, etc, through the gossip protocols and they need to authenticate each request. More details on the link copied by @kots.
- If we dont use cryptogen then can some third party generate all these certificates.
R/ You can use cryptogen (without Fabric-ca), Fabric-CA (with your own external root cert, one generated by cryptogen, or one generated by fabric-ca), or you can bring your own CA but it's a bit harder and you need to match it with your ChainCode authorization strategy.
- How can fabric-ca or any other third party CA help here.
R/ Using Fabric-CA gives you a nearly production ready environment. They handle most of the crypto gen tasks, as well handling CRL and Enrollment. As explained in response #3 you may have plenty of mixes depending on your requirements.
Best regards.
来源:https://stackoverflow.com/questions/46465298/understanding-various-certificates-in-hyperledger-fabric