6

What exactly is difference between enrolling and registering a certificate in Hyperledger Fabric CA. I am new to cryptography and i am really confused about the working of Fabric CA. Also how are certificates generated via cryptogen is diffrent from certificates generated via Fabric CA.

Asad Hayat
  • 123
  • 1
  • 6

4 Answers4

9

So from what i understand when you "enrol" an identity you get the certificates and private keys for it. When you "register" the identity, you are simply creating the user name and password for that identity with the CA server.

The certificates that the cryptogen tool generate are not any different to the ones generated by the Fabric CA, the cryptogen tool is there for convenience in development. It should not be used in a live / production environment. Under the hood the cryptogen tool actually spins up a fabric ca server locally.

Here is a link to the latest documentation for Fabric CA:

https://hyperledger-fabric-ca.readthedocs.io/en/latest/

zaf187
  • 505
  • 4
  • 9
3

"Registration" is done by the CA admin. A username and password is assigned to an identity, along with attributes (will the identity be an admin or a node, for example?). This registration places the username and password, along with the relevant other information about the identity, in the database of the CA. No certificates have been generated at this point. The identity has simply been registered.

"Enrollment" is the process where certificates are created and given to the user of the identity. The username and password is given to this user out of band, and they use the name and password as part of a fabric-ca-client call to the CA. The public and private keys --- encoded with the relevant attributes registered with the CA --- are then generated.

The reason for the separate between registration and enrollment is to ensure that only the user of an identity receives their private key.

The certificates created by a CA are identical to those created by cryptogen --- an x.509 certificate is an x.509 certificate --- but cryptogen is a tool for quickly creating certs in a test environment, not a true method for creating certificates for anything resembling production.

joealewine
  • 41
  • 2
2

Registering identity means adding its details in Fabric CA.

Enrolling means process when registered identity connects to CA and sends Certificate Signing Request (CSR) to it. CA checks if the identity is registered and performs some other validations, if checks are successful then it returns signed certificate to the identity. Since the certificate is signed by CA trusted by blockchain network, the identity has now means to interact with the network using this certificate.

So, to make the identity being able to interact with the network it must pass two steps in this particular sequence:

  1. Be registered on CA
  2. Be enrolled

Admin is preregistered in CA using when it is started

fabric-ca-server start -b admin:adminpw

The details are here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html

also you can refer to source

Ivan
  • 340
  • 3
  • 14
  • To clarify, you enroll first with a CSR. Then register. To quote from the Users Guide: "Registering a new identity The identity performing the register request must be currently enrolled . . ." – Dan Anderson Apr 25 '19 at 15:56
  • 5
    Hi Dan! You misunderstood this part. In order for an identity to be enrolled with CSR it must be already registered! But to register an identity you must have permissions to do so i.e. your admin identity should be enrolled. From your quote "The identity performing the register " this is not the identity that is being registered, but rather the identity on behalf of which you register the other identity. – Ivan Apr 26 '19 at 07:46
  • This answer is wrong now, I don't know if because Fabric mechanism has changed since 2019. You must enroll and then register a user now. – Alessandro Baffa Jul 14 '21 at 07:50
  • @AlessandroBaffa could you please elaborate more on this? What would be steps and commands to be executed as of 2021? – Ricardo Passos Aug 05 '22 at 13:18
  • No idea now, my answer is from a year ago. – Alessandro Baffa Aug 06 '22 at 02:03
0

The concept of first register(Saving username,password and other attributes in CA's DB) then registered identity can enroll to get certificates is the same in the latest version of Fabric CA as it was previously. Refer to the latest link: https://hyperledger-fabric.readthedocs.io/en/latest/deployment_guide_overview.html#step-four-use-the-ca-to-create-identities-and-msps

"Register and enroll an admin identity and create an MSP. After the CA that will be associated with an organization has been created, it can be used to first register a user and then enroll an identity (producing the certificate pair used by all entities on the network). In the first step, a username and password for the identity is assigned by the admin of the CA."

agupta
  • 11
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Sep 01 '22 at 16:02