CAs

CAs are mostly included in a Docker image with HLF release and are released as an HLF CA component. In the case of a blockchain network, a CA has the following purposes:

  • Registering nodes
  • Enrolling nodes

In HLF, Certificate Authority is a CA service that creates and issues certificates (enrollment certificates) to participating nodes, allowing them to join and participate in the blockchain network. These certificates (enrollment certificates) are in the standard X.509 v3 format. However, an HLF CA can be extended by enterprises and they can even replace it, if needed. CAs issue X.509-compliant certificates to participants (user, groups, and nodes). It is these certificates that enable participants to transact and interact on the blockchain network. CAs issue certificates to participants, and these certificates include various pieces of information pertaining to the subject (participant), as shown previously. CAs only issue those certificates after signing those certificates with their private keys. Hence, the certificates issued by the CA are signed by CAs and, since these CAs are trusted, the participant is also trusted. In addition, the information included in the certificate is trusted, as it's signed by the CA. As long as the recipients have the public key of the CA, they can trust the certificate.

In addition, when the subject (participant/sender) signs any transaction, the recipient can use the subject's (sender/participants) public key to ensure the authenticity and integrity of the message. Trusted CAs include DigiCert and Verisign. These certificates do not have any private keys—either of the CA or of the participant. In a blockchain network, every participant (subject/actor) needs to have a digital identity that should be issued by the organization's CA, which actually means that the CA facilitates a verifiable digital identity for the participant.

The following types of CA are available:

  • Root CAs are biggies, like Symantec, who self-sign their own certificates and then issue those certificates to other CAs. Intermediate CAs are CAs that have a certificate issued by the root CA or by another intermediate CA. This results in a TrustChain (chain of trust) of certificates. Organizations that use CAs can use intermediate CAs with confidence, since the TrustChain will allow them to trace the certificate back to the root CA. Also, the TrustChain limits the root CA's exposure, which is paramount from the security perspective of the TrustChain. Also, various organizations participating on the blockchain network can use different intermediate CAs and may have different, or the same, root CAs.
  • HLF offers an inbuilt CA called Fabric CA, which is a root CA for that HLF blockchain network. It is a private CA for the Fabric blockchain network; it cannot offer SSL certificates for use in browsers. Hence, organizations can use commercial public root and intermediate CAs for their HLF blockchain network. The capabilities of the HLF CA, also known as the Fabric CA, are as follows:
    • The HLF CA can either register identities or can be configured to use existing enterprise LDAPs as a user registry
    • For member organizations, users, and administrators, the HLF CA can issue, renew, and revoke enrollment certificates and root certificates for the blockchain network
  • The HLF CA generates self-signed X.509 certificates, and there can be one or more Fabric CAs, where there will be one root CA and the remainder are intermediate CAs, and where the chain of trust is followed by virtue of PKI.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset