2

I am wondering if it is strongly discouraged to use fabric-ca without mutual TLS in production.

I am planning to operate a fabric network where a lot of peers, applications and users will be added automatically and the cryptogen tool will not be used.

Instead a second fabric-ca will be used to issue TLS certificates. Those certificates will be used for client authentication with the MSP fabric-ca and the peers etc.

The TLS fabric-ca does not perform client authentication because new users will have enrollmentID+secret but no client certificates.

I Illustrated the registration process in this UML sequence diagram.

The "User" in the diagram is meant to represent peers, applications or users.

kashmesh
  • 61
  • 1
  • 4

1 Answers1

1

You can't require mutual / client TLS from the actual CA server that's supposed to issue the client TLS certificates unless you distribute the client certs out of band (which I assume you don't want to do). It's perfectly fine for the CA which is issuing TLS certificates NOT to require client / mutual TLS authentication.

Gari Singh
  • 11,418
  • 2
  • 18
  • 41
  • Gari, can you answer [this question](https://stackoverflow.com/questions/52263585/hyperledger-fabric-sdk-https-tls-cert-key) - if I use `https` in my CA url, it seems I am required to fill in the mutual TLS filepath section to avoid connection errors. – sean Sep 10 '18 at 18:49