Bootstrapping The Initial PeerOrg admin user


Bootstrapping The Initial PeerOrg admin user

IMPORTANT!:  Your new Hyperledger Fabric Network will not be up and running until you follow these instructions to create an initial peerOrg admin User.


1. Install Python3, jq, and jinja2

  • MacOS:
    brew install jq python3
    pip3 install jinja2
  • Ubuntu/Debian:
    sudo apt install jq python3-jinja2

2. If you haven't done so already, download and install the hyperledger fabric tools.

Blockdaemon KB repo

git clone
cd hlf-kb-docs                       

Fetch the Blockdaemon HLF TLSCA public certificate

Note: <NetworkID> is the ID of the network as shown in the Network connect page of your dashboard at Omit the <>'s, e.g. NETWORK_ID="abcdefgh".


curl -sSk https://ca-server.${NETWORK_ID} \
  | jq -r ".result.CAChain" | base64 -d > tlsca-${NETWORK_ID}.pem

For MacOS, base64 -D is required

Some versions of `base64` use `-D` (uppercase) instead of `-d` (lowercase).
   If you get the error message: base64: invalid option -- d` please run the command again with `-D`:

Make sure the pem file has data

openssl x509 -noout -text -in tlsca-${NETWORK_ID}.pem

If this fails, please contact technical support.

Enroll the CA admin and initial PeerOrg admin

Prepare the environment

export FABRIC_CA_CLIENT_CANAME="ca-peer-org"

Enroll the CA admin

In this example, <ca_admin_user> and <ca_admin_pass> are the credentials shown on the Network connect page of your dashboard at Omit the <>'s, e.g. CA_USER="admin".


fabric-ca-client enroll \
  -u "https://${CA_USER}:${CA_PASS}@ca-server.${NETWORK_ID}"

Register and enroll the PeerOrg admin

This fabric-ca-client register/enroll step can only be done once! Once you have registered the PeerOrg Admin user, you cannot reregister it again unless you remove the existing one first with fabric-ca-client identity remove. If a new PeerOrg admin is enrolled, any existing peers or orderers that identify the original identity as an admin cannot be updated, but only new peers will identify the new identity as an admin!

Register the new PeerOrg admin. Its password will be printed on stdout:

fabric-ca-client register \
  -u "https://ca-server.${NETWORK_ID}" \
  --id.type=user \ Admin@${NETWORK_ID}-peerOrg

You should see:

Password: abcdefgh

Enroll the initial PeerOrg admin, and generate an MSP directory structure in PeerAdmin/msp:

In this example, <RegisterPassword> is the password printed on stdout from the command above. Omit the <>'s, e.g. PASSWORD="abcdefgh"


mkdir -p PeerAdmin

fabric-ca-client enroll \
  -u "https://Admin@${NETWORK_ID}-peerOrg:${PASSWORD}@ca-server.${NETWORK_ID}" \
  -H PeerAdmin --csr.names="O=${NETWORK_ID}-peerOrg"


Make sure to keep the PeerAdmin/msp/keystore directory safe! Once you enroll the initial PeerOrg admin, these credentials will be automatically used to generate the system channel genesis block on the orderer and be granted admin privileges on all the peers in this network. If you lose the credentials for this user, you will no longer be able to create new channels, nor will any peers be able to join any existing channels. 

2 out of 2 found this helpful



Please sign in to leave a comment.