Bootstrapping Fabric CA

Fabric CA can be configured with a LDAP server or run in a standalone mode. When running in a standalone mode, it must be configured with a bootstrap identity that gets stored in the backend database of Fabric CA. By default, a SQLite database is used but, for production usages, a PostgreSQL or a MySQL database can be configured. Typically, the connection between the Fabric CA server and its database is over TLS if a standalone server is used.

For the rest of the chapter, we will refer to the bootstrap entity when running without the LDAP server as the ca-admin. The ca-admin and its password must be supplied on a bootstrap of the Fabric CA, when running without LDAP server.

In order for the ca-admin to interact with the server, it must submit a certificate signing request (CSR) to the Fabric CA server to obtain a X.509 certificate. This process is called enrolling an identity, or simply enroll. With a X.509 certificate in possession, the ca-admin can then add other users, which we will explain next.

Keep the password of the admin user in a safe and secure place since this is the root user of your organization. Treat it as securely as you would treat the password of a root Linux user. Use it to create a new user with appropriate permissions, but never use this user for any other operation, except in the case of a security breach, where this user can be used to revoke the certs of all enrolled entities.

Fabric CA provides two key operations in the system, namely register and enroll. We will explain these operations next.

Table of Contents for Bootstrapping Fabric CA

Create new playlist

Sign In

Sign Up

Table of Contents for
Bootstrapping Fabric CA