Fabric certificates

Each organization needs the following components:

1. ca
2. msp
3. orderers or peers
4. users

        The ca needs to have:
              1. private key
              2. certificate

        The msp needs:
              1. admin certificate
              2. the sign cert is the same as the CA certificate

        Each user needs: msp and tls
            for msp:
              1. keystore private key
            for tls
              2. tls server.key - need to generate
              3. tls server.crt - need to sign with CA certificate

        Each peer needs: msp and tls
            for msp:
              1.  keystore private key - need to generate
              2.  sign certificate - need to generate with ca certificate
            for tls:
              1. tls server.key - need to generate
              2. tls server.crt - need to generate with ca certificate

        Each orderer needs: msp and tls
            for msp:
              1. keystore private key - need to generate
              2. sign certificate - need to generate with the ca sign certificate
            for tls:
              1. tls server.key - need to generate
              2. tls server.crt - need to sign with the ca certificate

The process to create all the certificates
1. Create CA private key and certificate
2. Create a private key as the admin user keystore key, then use CA certificate sign the private key
   to create the admin certificate
3. For either orderer or peer, create a private key as the msp keystore private key, then use CA
   certificate sign the private key to create the peer or orderer certificate
4. Regardless it is a user or peer or orderer, each will need tls keys. Create a private key, then use
   CA certificate sign the private key to create the user, peer or orderer sign certificate.

Looks like fabric uses pkcs8 format rather than the traditional ec format, so use the following command to convert.

openssl pkcs8 -topk8 -nocrypt -in tradfile.pem -out p8file.pem

Here is an example. 

1. Generate a CA private key

  openssl ecparam -genkey -name prime256v1 -noout -out ca.key

2. Convert that key to pkcs8 format (Do not have to do this)

  openssl pkcs8 -topk8 -nocrypt -in ca.key -out ca.sk

 
3. Create certificate for CA

openssl req -x509 -new -SHA256 -nodes -key ca.sk -days 1000

   -out ca.crt -subj "/C=US/ST=NC/L=Cary/O=orga/CN=ca.orga" 

4. Generate a private key for a server or user and convert to pkcs8 format

  openssl ecparam -genkey -name prime256v1 -noout -out server.key
  openssl pkcs8 -topk8 -nocrypt -in server.key -out server.sk (optional)
 

5. Create a certificate signing request (CSR)

  openssl req -new -SHA256 -key server.sk -nodes -out server.csr

    -subj "/C=US/ST=NC/L=Cary/O=orga/CN=peer1.orga"  

6. Once generated, you can view the full details of the CSR:

   openssl req -in server.csr -noout -text 

7. Now sign the certificate using the CA keys:

   openssl x509 -req -SHA256 -days 1000 -in server.csr -CA ca.crt

    -CAkey ca.sk -CAcreateserial -out server.crt