The register operation adds a new entity specified by an identifier to Fabric CA. The register operation does not create a X.509 certificate for the user; that happens in the enroll operation. It is up to the administrator of the Fabric CA to define the policies and procedures for adding new users to the network.
There are some important points to consider while registering the users:
- If a policy is to register an email address then, upon subsequent enrollment, the user's email address will be encoded in the certificate. In Hyperledger Fabric, the certificate of the user issuing the transaction is stored in the ledger along with the committed transaction. Anyone can decode the certificate and determine the email address.
Carefully determine how new entities will be registered within a Fabric CA, as their digital certificates will end up in the ledger when these entities issue transactions.
- Another important point to consider is how many enrollments are allowed for that user. Each enrollment results in a new certificate being issued to the user. In Hyperledger Fabric, a new user being registered can be enrolled a finite number of times, or can have unlimited enrollments. Typically, a new entity being enrolled should not be configured with unlimited number of enrollments.
It is best to set the maximum number of enrollments to 1 for a new user. This setting ensures that there is 1-1 correspondence between an entity and its digital certificate, thus making management of entity revocation easier.
- With Hyperledger Fabric 1.1, it is now possible to define attributes for entities at the time of their registration. These attributes are then encoded in the X.509 certificate of an entity.
When used in standalone mode, upon successful registration, Fabric CA will create a unique password (if not supplied during registration). The ca-admin can then pass this password to the entity being registered, which will then use it to create a CSR and obtain a certificate through the enroll operation.