Research if a Fabric CA can be customized to use an open public CA

[zhangpn]

• [ ] test against public CA
• [ ] See if private CA is accessible for mobile app (i.e. api to hyperledger to CA)

Any public CA in the family of keccak256

Keccak: https://www.npmjs.com/package/keccak

Keccak256 (specific implementation): https://www.npmjs.com/package/keccak256

• [ ] Creating a starter script file for issuing user credentials from Fabric native CA
• [ ] Swap the native CA SDK with keccak

[Wyntuition]

    - It appears Fabric can be pointed to a public CA via fabric ca client CLI commands, but we haven't tested it yet, and it is not normally done. Should we spend time doing that?
            - What are needs for a public CA vs private single CA? Same roles, more trusted? 
                - all orgs can use 1 CA. But not normal to use a public one as not needed and not private 
                - How important for testing purposes?

[Wyntuition]

Notes - steps to configuring an open public CA

You can use a non-Fabric CA -

• you will need to create the relevant identities and MSPs that Fabric uses to build organizations, client identities, and nodes.
• If you intend on having your key signed by a CA you'll have to send your CSR file (and some cash) to your CA of choice
• They will return a certificate you can use instead of the Hyperledger Fabric network organization's CA-signed cert

Note, Fabric CA performs these functions:

• Issuance of Enrollment Certificates (ECerts). Enrollment is a process whereby the Fabric CA issues a certificate key-pair, comprised of a signing certificate and a private key that forms the identity.
• The private and public keys are first generated locally by the Fabric CA client, and then the public key is sent to the CA which returns an encoded certificate, the signing certificate.
• Certificate renewal and revocation.

Some key terms:

• “organization” CA - use to generate identities for nodes, admins, and clients, and this TLS CA is the same CA you will use to generate certificates
• TLS CA - used (for encrypting communication traffic)
• fabric-ca-client - must be set up, as it is used to make calls to the "organization" CA server where an identity is registered and enrolled

Some key workflow steps:

• identity is first registered with a CA by a CA admin
• identity is then enrolled by the user of the identity. If you are using the Fabric CA client, this registration command looks like this (regardless of the type of identity you are enrolling, and the type of CA):

./fabric-ca-client register -d --id.name <ID_NAME> --id.secret <ID_SECRET> -u <CA_URL> --mspdir <CA_ADMIN> --id.type <ID_TYPE> --id.attrs $ID_ATTRIBUTE --tls.certfiles <TLSCERT>

Configuring a CA in HLF:

• Determine folder structure for crypto material - it should be by org

• Continue research on how to create the relevant identities and MSPs that use an external "organizational" CA, to create the organizations, client identites, and nodes. Good place to start for how it works in Fabric, but will need to see how to see how to do with with an external CA, https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html

[Wyntuition]

Closing this, as for now we are planning to create private-public key pairs using keccak256 on the device and into an ethereum address, to act as a public CA.