-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cfssl to generating certificates #1001
Merged
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -90,6 +90,19 @@ function checkPrereqs() { | |
| fi | ||
| done | ||
|
|
||
| ## check for cfssl binaries | ||
| if [ "$CRYPTO" == "cfssl" ]; then | ||
|
|
||
| cfssl version > /dev/null 2>&1 | ||
| if [[ $? -ne 0 ]]; then | ||
| errorln "cfssl binary not found.." | ||
| errorln | ||
| errorln "Follow the instructions to install the cfssl and cfssljson binaries:" | ||
| errorln "https://github.com/cloudflare/cfssl#installation" | ||
| exit 1 | ||
| fi | ||
| fi | ||
|
|
||
| ## Check for fabric-ca | ||
| if [ "$CRYPTO" == "Certificate Authorities" ]; then | ||
|
|
||
|
|
@@ -182,6 +195,26 @@ function createOrgs() { | |
|
|
||
| fi | ||
|
|
||
| # Create crypto material using cfssl | ||
| if [ "$CRYPTO" == "cfssl" ]; then | ||
|
|
||
| . organizations/cfssl/registerEnroll.sh | ||
| #function_name cert-type CN org | ||
| peer_cert peer peer0.org1.example.com org1 | ||
| peer_cert admin [email protected] org1 | ||
|
|
||
| infoln "Creating Org2 Identities" | ||
| #function_name cert-type CN org | ||
| peer_cert peer peer0.org2.example.com org2 | ||
| peer_cert admin [email protected] org2 | ||
|
|
||
| infoln "Creating Orderer Org Identities" | ||
| #function_name cert-type CN | ||
| orderer_cert orderer orderer.example.com | ||
| orderer_cert admin [email protected] | ||
|
|
||
| fi | ||
|
|
||
| # Create crypto material using Fabric CA | ||
| if [ "$CRYPTO" == "Certificate Authorities" ]; then | ||
| infoln "Generating certificates using Fabric CA" | ||
|
|
@@ -452,6 +485,9 @@ while [[ $# -ge 1 ]] ; do | |
| -ca ) | ||
| CRYPTO="Certificate Authorities" | ||
| ;; | ||
| -cfssl ) | ||
| CRYPTO="cfssl" | ||
| ;; | ||
| -r ) | ||
| MAX_RETRY="$2" | ||
| shift | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| { | ||
| "CN": "{USER}", | ||
| "key": { | ||
| "algo": "ecdsa", | ||
| "size": 256 | ||
| }, | ||
| "names": [ | ||
| { | ||
| "C": "IN", | ||
| "ST": "Delhi", | ||
| "L": "Aero city", | ||
| "O": "cfssl", | ||
| "OU": "admin" | ||
| } | ||
| ], | ||
| "hosts": [ | ||
| "{USER}", | ||
| "localhost", | ||
| "127.0.0.1", | ||
| "0.0.0.0" | ||
| ] | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| { | ||
| "CN": "cfssl-orderer-ca", | ||
| "key": { | ||
| "algo": "ecdsa", | ||
| "size": 256 | ||
| }, | ||
| "names": [ | ||
| { | ||
| "C": "IN", | ||
| "ST": "Delhi", | ||
| "L": "Aero city", | ||
| "O": "cfssl", | ||
| "OU": "client" | ||
| } | ||
| ], | ||
| "hosts": [ | ||
| "localhost", | ||
| "127.0.0.1", | ||
| "0.0.0.0" | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| { | ||
| "CN": "cfssl-peer-ca", | ||
| "key": { | ||
| "algo": "ecdsa", | ||
| "size": 256 | ||
| }, | ||
| "names": [ | ||
| { | ||
| "C": "IN", | ||
| "ST": "Delhi", | ||
| "L": "Aero city", | ||
| "O": "cfssl", | ||
| "OU": "Fabric" | ||
| } | ||
| ], | ||
| "hosts": [ | ||
| "localhost", | ||
| "127.0.0.1", | ||
| "0.0.0.0" | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| { | ||
| "signing": { | ||
| "default": { | ||
| "expiry": "175200h" | ||
| }, | ||
| "profiles": { | ||
| "sign": { | ||
| "usages": [ | ||
| "signing", | ||
| "key encipherment", | ||
| "cert sign", | ||
| "digital signature" | ||
| ], | ||
| "expiry": "175200h" | ||
| }, | ||
| "tls": { | ||
| "usages": [ | ||
| "signing", | ||
| "key encipherment", | ||
| "server auth", | ||
| "client auth" | ||
| ], | ||
| "expiry": "175200h" | ||
| } | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| { | ||
| "CN": "{USER}", | ||
| "key": { | ||
| "algo": "ecdsa", | ||
| "size": 256 | ||
| }, | ||
| "names": [ | ||
| { | ||
| "C": "IN", | ||
| "ST": "Delhi", | ||
| "L": "Aero city", | ||
| "O": "cfssl", | ||
| "OU": "client" | ||
| } | ||
| ], | ||
| "hosts": [ | ||
| "{USER}", | ||
| "localhost", | ||
| "127.0.0.1", | ||
| "0.0.0.0" | ||
| ] | ||
| } |
22 changes: 22 additions & 0 deletions
22
test-network/organizations/cfssl/orderer-csr-template.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| { | ||
| "CN": "{USER}", | ||
| "key": { | ||
| "algo": "ecdsa", | ||
| "size": 256 | ||
| }, | ||
| "names": [ | ||
| { | ||
| "C": "IN", | ||
| "ST": "Delhi", | ||
| "L": "Aero city", | ||
| "O": "cfssl", | ||
| "OU": "orderer" | ||
| } | ||
| ], | ||
| "hosts": [ | ||
| "{USER}", | ||
| "localhost", | ||
| "127.0.0.1", | ||
| "0.0.0.0" | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| { | ||
| "CN": "{USER}", | ||
| "key": { | ||
| "algo": "ecdsa", | ||
| "size": 256 | ||
| }, | ||
| "names": [ | ||
| { | ||
| "C": "IN", | ||
| "ST": "Delhi", | ||
| "L": "Aero city", | ||
| "O": "cfssl", | ||
| "OU": "peer" | ||
| } | ||
| ], | ||
| "hosts": [ | ||
| "{USER}", | ||
| "localhost", | ||
| "127.0.0.1", | ||
| "0.0.0.0" | ||
| ] | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just realized that you generate a single certificate and use it for both the MSP enrollment cert (e.g. role 'admin' above) and the TLS cert (hosts defined for tls cert SAN here).
While this will technically work, it is not a good practice, production environments should have separate certs for msp and tls. And while the samples here are not expected to be used in production environments, the samples are intended to be an educational resource and there is a lot of confusion about proper use of certificates.
I'd suggest to split the certificates to make their usage more clear - have one msp enrollment cert with the OU role defined, and a seprate tls cert with the hosts SAN entries.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Certs will be different as we are generating MSP and TLS certs with different profiles, we have two profiles (sign and tls) that governs if the certificates are for signing or TLS purpose.