You will automatically be issued the required certificates upon launching your Fabric network and becoming enrolled as the network admin with the CA server.
Upon network launch, a request will be generated for a un/pw for ca (certificate of authority) server.
This will show on the settings page
- While it's being processed Orderer shows as “waiting for network admin” until network admin is enrolled with CA Server
- Orderer will need to follow instructions on connect page to enroll network admin with CA Server
- Orderer can then pull pubkey from CA server based on network admin user name
- Orderer automatically waits for the default network admin user name to be enrolled
- When admin pubkey(s) shows up, orderer automatically creates system channel genesis block including provided cert and starts orderer process
Notes on Certs:
Admin cert – This folder contains a list of identities allowed to administer (installing/instantiating chaincode, creating channels, etc).) the peer. Therefore, in order to be able to administer a peer, the entity administering the peer (such as a client application) must have their signcert (their public key identity) the peer's /admincerts folder. This folder contains a list of identities that define the actors who have the role of administrators for this entity. Typically resides under /mnt/crypto/peer/peer/msp/admincerts
CA Cert – Each entity has its own CA. The CA represents the root cert. It is the top level certificate which represents the trusted authority for the network. The cert in the /cacert folder is the public CA identity. The CA is the issuer for the signcert and admin certs. The CACert is a bundle of CA certificates that you use to verify that the server is really the correct site you're talking to (when it presents its certificate in the SSL handshake). Typically resides under: /mnt/crypto/peer/peer/msp/cacerts
Intermediate certs – Each entity has its own Intermediate CA which has their certificates issued by the root CA or another intermediate authority, allowing the establishment of a “chain of trust” for any certificate that is issued by any CA in the chain. This ability to track back to the Root CA allows the function of CAs to scale while still providing security. Typically resides under /mnt/crypto/peer/peer/msp/intermediatecerts
Keystore = Private key - Transactions are signed by a private key and then verified by their public key which has been shared with other entities. Access to this folder must be limited only to the identities of users who have administrative responsibility on the peer. Reside in /mnt/crypto/peer/peer/msp/keystore.
Signcert = Public key - Signcerts are used for endorsing functions – for example to sign a transaction proposal response, as part of the endorsement phase. /mnt/crypto/peer/peer/msp/signcerts
TLS certs – Use of TLS is strongly recommended to provide a secured connection; used to secure the channel; Needs to be shared with every party that the entity will communicate with. Cert resides in /mnt/msp/tls/cacert.pem and is typically passed on CLI commands. You need to get the TLS cert from the TLS CA.