Hyperledger Fabric Certificate Authority(CA) Client


In the previous blog, we discussed about Fabric CA Architecture, Initializing Fabric-CA Server and Configuring the database. Now, we will discuss how to use fabric-ca-client command. We can interact with Fabric-CA Server via Fabric-CA Client and there can be multiple Fabric-CA Intermediate Servers. Each Intermediate Fabric-CA server can be configured Fabric-CA server cluster.

So, to start Fabric-CA-Client we need to start the Fabric-CA-Server first. Lets get some flashback How to start Fabric-CA-Server. Remember to navigate to GOPATH/bin where Fabric-CA-Server and Fabric-CA-Client being installed after running the command mentioned in the previous blog.

fabric-ca-server start -b admin:adminpw

We have started the Fabric-CA-Server. Now, export some necessary configurations needed to enroll the identity Successfully.

export CORE_PEER_ID=peer0.org1.example.com
export CORE_LOGGING_PEER=debug
export CORE_PEER_MSPCONFIGPATH=/Path/to/fabric-samples/basic-network/crypto-config/peerOrganizations/org1.example.com/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051

Enrolling the bootstrap identity

Now, run fabric-ca-client enroll command to enroll the identity. For example, following command enrolls an identity whose ID is admin and password is adminpw by calling Fabric CA server that is running locally at 7054 port.

fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

The enroll command stores an enrollment certificate (ECert), corresponding private key and CA certificate chain PEM files in the subdirectories of the Fabric CA client’s msp directory. You can even configure identity ID and password in the fabric-ca-server-config.yaml file.


After enrolling the identity certificates information get stored in SQLite database that Fabric uses is by default. You can configure Fabric CA server to connect to PostgreSQL or MySQL databases. Schema for certificates table is shown below:-


Registering a new identity

The identity performing the register request must be currently enrolled, and must also have the proper authority to register the type of the identity that is being registered. If the invoker’s identity has the hf.Registrar.Roles attribute with a value of peer, app, user, the invoker can register identities of type peer, app and user.

fabric-ca-client register --id.name admin1 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert' --id.type user

The command above uses the admin identity’s credentials to register a new user with an enrollment id of “admin1”, an affiliation of “org1.department1”, an attribute named “hf.Revoker” with a value of “true”, and an attribute named “admin” with a value of “true”. The “:ecert” suffix means that by default the “admin” attribute and its value will be inserted into the user’s enrollment certificate, which can then be used to make access control decisions.

Registering a new identity will print the password, also known as the enrollment secret. This password is required to enroll the identity.


Enrolling a peer identity

Now that you have successfully registered a peer identity, you may now enroll the peer given the enrollment ID and secret (i.e. the password from the previous section).

fabric-ca-client enroll -u http://peer1:<password>@localhost:7054

That’s it!! We are done with enrolling and registering our identity with the Server.

I hope you liked the blog. Happy Coding !! 🙂


Hyperledger Official Documentation


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: