Create CA Root to sign the Intermediate CAs

[antoniobaiao]

Hello,

It is possible to create a CA Root self signed (or use a external one) to be the source of trust to the intermediates CAs (the organization's CAs that will signe the ententies like peer, orders etc) , instead of the Organization CAs be self signed?

The goal is to create a chain trust of CAs like in the following example link: https://medium.com/ibm-garage/using-3rd-party-root-cas-in-hyperledger-fabric-3cafa91d1260

Thank you

[litong01]

Minifabric use OpenSSL to create certs. Then sets up ca node. You can look at the code and see how it works. I am pretty sure you can add some logic there to support using existing certs or creating new self signed certs. Your contribution is welcome.

[itaru2622]

This matter seems to be achieved by changing playbooks/ops/certgen/orgkeygen.yaml, and also partykeygen.yaml (?)

[litong01]

Right. It will be somewhere there. But needs logic to import an existing cert/key from a well known ca, given that cert is allowed be intermediate ca, etc.

[antoniobaiao]

Thank all for your answers. I saw that "minifab" file is creating a docker container which will be used to configure all the nework loading an existent minifab image.

It's the main.sh the begin? If yes can I run just the main.sh to do local tests?
If there is another routine that should be done let me know please.

Thanks

[litong01]

@antoniobaiao yes, it is, but there is no good reason why you have to run it natively. it basically runs a lot of ansible playbooks inside a container, if you want to run it natively, your system will need ansible and possibly other dependencies. If you managed to get all the dependencies available in your system, you can run it without any problems.

[antoniobaiao]

Yes, you are right, So the best way is to create a local image of minifab to be loaded on the docker container.

[litong01]

@antoniobaiao that is right. run docker build -t hyperledgerlabs/minifab:latest . to build your own image and run the same command, you wont have to pollute your env.

[antoniobaiao]

Thank you for your answer was really helpful. I already can create the root ca, however, I'm facing up some errors, those are not too explicit at the command line. In the ansible.log at /var directory, the information is very poor, so my question is, there is another place where I can eventually look at logs of ansible tasks that are being executed?

[litong01]

@antoniobaiao use -f default to see more verbose output.

[antoniobaiao]

Hello, Firstly thank you very much for your help.

I'm facing up some problems regarding the certificates. I add the following scripts to generate the certificates. All the ./minifab up process goes well till the creation of the channel when I receive an error.

and when I look into the container.

The changes I did:

orgkeygen.txt createcerts.txt

Sorry, I had to put the files in txt, github don't allow me to upload yaml files. Can you take a look, please? I already check the certificates generated and it looks good, I used that commands here to check it https://www.ssl247.co.uk/kb/ssl-certificates/troubleshooting/certificate-matches-private-key

Thank you very much for your help