Crypto-config Demystified
If you have ever used hyperledger fabric, you will know about crypto-config folder. It contains the certificates and keys for identifying peers, signing data and establishing consensus.
This article explains how different keys and certs under crypto-config are related, even more so why these files are generated in first place.
NOTE: ALl the key pair under crypto-config are ECDSA and certificates are x509 with pem encoding.
OrdererOrganisation structure
Below I have refered the cert(number) by (ref-number)
├── ordererOrganizations
│ └── example.com # Orderer's domain
│ ├── ca (1) # It contains ca.example.com self-signed certificate and corresponding private key
│ ├── msp # contains the cert for ca, tlsca and admins
│ │ ├── admincerts # Contains (3)
│ │ ├── cacerts # Contains (1)
│ │ └── tlscacerts # Contains (2)
│ ├── orderers
│ │ ├── orderer.example.com
│ │ │ ├── msp
│ │ │ │ ├── admincerts # Contains (3)
│ │ │ │ ├── cacerts # Contains (1)
│ │ │ │ ├── keystore # Contains private key for orderer.example.com (4) signed by (1)
│ │ │ │ ├── signcerts (4) # Contains certificate for orderer.example.com signed by (1). It is used for Digital Signature
│ │ │ │ └── tlscacerts # Contains (2)
│ │ │ └── tls # Contains (2) as ca.crt, private key as server.key and crt for orderer.example.com signed by (2) as server.crt
│ ├── tlsca (2) # It contains tlsca.example.com self-signed certificate and corresponding private key. This cert is used for signing tls cert of all users and sub-domains orderer of example.com
│ └── users
│ └── [email protected]
│ ├── msp
│ │ ├── admincerts # Contains (3)
│ │ ├── cacerts # Contains (1)
│ │ ├── keystore # Contains private key for [email protected] (3) signed by (1)
│ │ ├── signcerts (3) # Contains certificate for [email protected] signed by (1). It is used for Digital Signature
│ │ └── tlscacerts # Contains (2)
│ └── tls # Contains (2) as ca.crt, private key as client.key and crt for [email protected] signed by (2) as client.crt
PeerOrganisation strucuture
The structure is similar to OrdererOrganisation structure. Below I have refered the cert(number) by (ref-number)
├── peerOrganizations
│ └── org1.example.com # Peer's domain
│ ├── ca (1) # It contains ca.org1.example.com self-signed certificate and corresponding private key
│ ├── msp # contains the cert for ca, tlsca and admins
│ │ ├── admincerts # Contains (3)
│ │ ├── cacerts # Contains (1)
│ │ └── tlscacerts # Contains (2)
│ ├── peers
│ │ ├── peer0.org1.example.com
│ │ │ ├── msp
│ │ │ │ ├── admincerts # Contains (3)
│ │ │ │ ├── cacerts # Contains (1)
│ │ │ │ ├── keystore # Contains private key for peer0.org1.example.com (4) signed by (1)
│ │ │ │ ├── signcerts (4) # Contains certificate for peer0.org1.example.com signed by (1). It is used for Digital Signature
│ │ │ │ └── tlscacerts # Contains (2)
│ │ │ └── tls # Contains (2) as ca.crt, private key as server.key and crt for peer0.org1.example.com signed by (2) as server.crt
│ ├── tlsca (2) # It contains tlsca.example.com self-signed certificate and corresponding private key. This cert is used for signing tls cert of all users and peers of org1.example.com
│ └── users
│ └── [email protected]
│ ├── msp
│ │ ├── admincerts # Contains (3)
│ │ ├── cacerts # Contains (1)
│ │ ├── keystore # Contains private key for [email protected] (3) signed by (1)
│ │ ├── signcerts (3) # Contains certificate for [email protected] signed by (1). It is used for Digital Signature
│ │ └── tlscacerts # Contains (2)
│ └── tls # Contains (2) as ca.crt, private key as client.key and crt for [email protected] signed by (2) as client.crt
Tool to investigate crypto-config
Probably best tool to investigate crypto-config is openssl
openssl x509 -in <certificate-path> -text -noout