Last active
November 21, 2021 10:53
-
-
Save susimsek/97dfb5156d7ab73c60ab6b0d6d348959 to your computer and use it in GitHub Desktop.
Fabric CA Server Org1 Configuration File
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################# | |
| # This is a configuration file for the fabric-ca-server command. | |
| # | |
| # COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES | |
| # ------------------------------------------------ | |
| # Each configuration element can be overridden via command line | |
| # arguments or environment variables. The precedence for determining | |
| # the value of each element is as follows: | |
| # 1) command line argument | |
| # Examples: | |
| # a) --port 443 | |
| # To set the listening port | |
| # b) --ca.keyfile ../mykey.pem | |
| # To set the "keyfile" element in the "ca" section below; | |
| # note the '.' separator character. | |
| # 2) environment variable | |
| # Examples: | |
| # a) FABRIC_CA_SERVER_PORT=443 | |
| # To set the listening port | |
| # b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" | |
| # To set the "keyfile" element in the "ca" section below; | |
| # note the '_' separator character. | |
| # 3) configuration file | |
| # 4) default value (if there is one) | |
| # All default values are shown beside each element below. | |
| # | |
| # FILE NAME ELEMENTS | |
| # ------------------ | |
| # The value of all fields whose name ends with "file" or "files" are | |
| # name or names of other files. | |
| # For example, see "tls.certfile" and "tls.clientauth.certfiles". | |
| # The value of each of these fields can be a simple filename, a | |
| # relative path, or an absolute path. If the value is not an | |
| # absolute path, it is interpretted as being relative to the location | |
| # of this configuration file. | |
| # | |
| ############################################################################# | |
| # Version of config file | |
| version: 1.2.0 | |
| # Server's listening port (default: 7054) | |
| port: 7054 | |
| # Enables debug logging (default: false) | |
| debug: false | |
| # Size limit of an acceptable CRL in bytes (default: 512000) | |
| crlsizelimit: 512000 | |
| ############################################################################# | |
| # TLS section for the server's listening port | |
| # | |
| # The following types are supported for client authentication: NoClientCert, | |
| # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, | |
| # and RequireAndVerifyClientCert. | |
| # | |
| # Certfiles is a list of root certificate authorities that the server uses | |
| # when verifying client certificates. | |
| ############################################################################# | |
| tls: | |
| # Enable TLS (default: false) | |
| enabled: true | |
| # TLS for the server's listening port | |
| certfile: | |
| keyfile: | |
| clientauth: | |
| type: noclientcert | |
| certfiles: | |
| ############################################################################# | |
| # The CA section contains information related to the Certificate Authority | |
| # including the name of the CA, which should be unique for all members | |
| # of a blockchain network. It also includes the key and certificate files | |
| # used when issuing enrollment certificates (ECerts) and transaction | |
| # certificates (TCerts). | |
| # The chainfile (if it exists) contains the certificate chain which | |
| # should be trusted for this CA, where the 1st in the chain is always the | |
| # root CA certificate. | |
| ############################################################################# | |
| ca: | |
| # Name of this CA | |
| name: Org1CA | |
| # Key file (is only used to import a private key into BCCSP) | |
| keyfile: | |
| # Certificate file (default: ca-cert.pem) | |
| certfile: | |
| # Chain file | |
| chainfile: | |
| ############################################################################# | |
| # The gencrl REST endpoint is used to generate a CRL that contains revoked | |
| # certificates. This section contains configuration options that are used | |
| # during gencrl request processing. | |
| ############################################################################# | |
| crl: | |
| # Specifies expiration for the generated CRL. The number of hours | |
| # specified by this property is added to the UTC time, the resulting time | |
| # is used to set the 'Next Update' date of the CRL. | |
| expiry: 24h | |
| ############################################################################# | |
| # The registry section controls how the fabric-ca-server does two things: | |
| # 1) authenticates enrollment requests which contain a username and password | |
| # (also known as an enrollment ID and secret). | |
| # 2) once authenticated, retrieves the identity's attribute names and | |
| # values which the fabric-ca-server optionally puts into TCerts | |
| # which it issues for transacting on the Hyperledger Fabric blockchain. | |
| # These attributes are useful for making access control decisions in | |
| # chaincode. | |
| # There are two main configuration options: | |
| # 1) The fabric-ca-server is the registry. | |
| # This is true if "ldap.enabled" in the ldap section below is false. | |
| # 2) An LDAP server is the registry, in which case the fabric-ca-server | |
| # calls the LDAP server to perform these tasks. | |
| # This is true if "ldap.enabled" in the ldap section below is true, | |
| # which means this "registry" section is ignored. | |
| ############################################################################# | |
| registry: | |
| # Maximum number of times a password/secret can be reused for enrollment | |
| # (default: -1, which means there is no limit) | |
| maxenrollments: -1 | |
| # Contains identity information which is used when LDAP is disabled | |
| identities: | |
| - name: admin | |
| pass: adminpw | |
| type: client | |
| affiliation: "" | |
| attrs: | |
| hf.Registrar.Roles: "*" | |
| hf.Registrar.DelegateRoles: "*" | |
| hf.Revoker: true | |
| hf.IntermediateCA: true | |
| hf.GenCRL: true | |
| hf.Registrar.Attributes: "*" | |
| hf.AffiliationMgr: true | |
| ############################################################################# | |
| # Database section | |
| # Supported types are: "sqlite3", "postgres", and "mysql". | |
| # The datasource value depends on the type. | |
| # If the type is "sqlite3", the datasource value is a file name to use | |
| # as the database store. Since "sqlite3" is an embedded database, it | |
| # may not be used if you want to run the fabric-ca-server in a cluster. | |
| # To run the fabric-ca-server in a cluster, you must choose "postgres" | |
| # or "mysql". | |
| ############################################################################# | |
| db: | |
| type: sqlite3 | |
| datasource: fabric-ca-server.db | |
| tls: | |
| enabled: false | |
| certfiles: | |
| client: | |
| certfile: | |
| keyfile: | |
| ############################################################################# | |
| # LDAP section | |
| # If LDAP is enabled, the fabric-ca-server calls LDAP to: | |
| # 1) authenticate enrollment ID and secret (i.e. username and password) | |
| # for enrollment requests; | |
| # 2) To retrieve identity attributes | |
| ############################################################################# | |
| ldap: | |
| # Enables or disables the LDAP client (default: false) | |
| # If this is set to true, the "registry" section is ignored. | |
| enabled: false | |
| # The URL of the LDAP server | |
| url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> | |
| # TLS configuration for the client connection to the LDAP server | |
| tls: | |
| certfiles: | |
| client: | |
| certfile: | |
| keyfile: | |
| # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes | |
| attribute: | |
| # 'names' is an array of strings containing the LDAP attribute names which are | |
| # requested from the LDAP server for an LDAP identity's entry | |
| names: ['uid','member'] | |
| # The 'converters' section is used to convert an LDAP entry to the value of | |
| # a fabric CA attribute. | |
| # For example, the following converts an LDAP 'uid' attribute | |
| # whose value begins with 'revoker' to a fabric CA attribute | |
| # named "hf.Revoker" with a value of "true" (because the boolean expression | |
| # evaluates to true). | |
| # converters: | |
| # - name: hf.Revoker | |
| # value: attr("uid") =~ "revoker*" | |
| converters: | |
| - name: | |
| value: | |
| # The 'maps' section contains named maps which may be referenced by the 'map' | |
| # function in the 'converters' section to map LDAP responses to arbitrary values. | |
| # For example, assume a user has an LDAP attribute named 'member' which has multiple | |
| # values which are each a distinguished name (i.e. a DN). For simplicity, assume the | |
| # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. | |
| # Further assume the following configuration. | |
| # converters: | |
| # - name: hf.Registrar.Roles | |
| # value: map(attr("member"),"groups") | |
| # maps: | |
| # groups: | |
| # - name: dn1 | |
| # value: peer | |
| # - name: dn2 | |
| # value: client | |
| # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be | |
| # "peer,client,dn3". This is because the value of 'attr("member")' is | |
| # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of | |
| # "group" replaces "dn1" with "peer" and "dn2" with "client". | |
| maps: | |
| groups: | |
| - name: | |
| value: | |
| ############################################################################# | |
| # Affiliations section. Fabric CA server can be bootstrapped with the | |
| # affiliations specified in this section. Affiliations are specified as maps. | |
| # For example: | |
| # businessunit1: | |
| # department1: | |
| # - team1 | |
| # businessunit2: | |
| # - department2 | |
| # - department3 | |
| # | |
| # Affiliations are hierarchical in nature. In the above example, | |
| # department1 (used as businessunit1.department1) is the child of businessunit1. | |
| # team1 (used as businessunit1.department1.team1) is the child of department1. | |
| # department2 (used as businessunit2.department2) and department3 (businessunit2.department3) | |
| # are children of businessunit2. | |
| # Note: Affiliations are case sensitive except for the non-leaf affiliations | |
| # (like businessunit1, department1, businessunit2) that are specified in the configuration file, | |
| # which are always stored in lower case. | |
| ############################################################################# | |
| affiliations: | |
| org1: | |
| - department1 | |
| - department2 | |
| org2: | |
| - department1 | |
| org3: | |
| - department1 | |
| ############################################################################# | |
| # Signing section | |
| # | |
| # The "default" subsection is used to sign enrollment certificates; | |
| # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. | |
| # | |
| # The "ca" profile subsection is used to sign intermediate CA certificates; | |
| # the default expiration ("expiry" field) is "43800h" which is 5 years in hours. | |
| # Note that "isca" is true, meaning that it issues a CA certificate. | |
| # A maxpathlen of 0 means that the intermediate CA cannot issue other | |
| # intermediate CA certificates, though it can still issue end entity certificates. | |
| # (See RFC 5280, section 4.2.1.9) | |
| # | |
| # The "tls" profile subsection is used to sign TLS certificate requests; | |
| # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. | |
| ############################################################################# | |
| signing: | |
| default: | |
| usage: | |
| - digital signature | |
| expiry: 8760h | |
| profiles: | |
| ca: | |
| usage: | |
| - cert sign | |
| - crl sign | |
| expiry: 43800h | |
| caconstraint: | |
| isca: true | |
| maxpathlen: 0 | |
| tls: | |
| usage: | |
| - signing | |
| - key encipherment | |
| - server auth | |
| - client auth | |
| - key agreement | |
| expiry: 8760h | |
| ########################################################################### | |
| # Certificate Signing Request (CSR) section. | |
| # This controls the creation of the root CA certificate. | |
| # The expiration for the root CA certificate is configured with the | |
| # "ca.expiry" field below, whose default value is "131400h" which is | |
| # 15 years in hours. | |
| # The pathlength field is used to limit CA certificate hierarchy as described | |
| # in section 4.2.1.9 of RFC 5280. | |
| # Examples: | |
| # 1) No pathlength value means no limit is requested. | |
| # 2) pathlength == 1 means a limit of 1 is requested which is the default for | |
| # a root CA. This means the root CA can issue intermediate CA certificates, | |
| # but these intermediate CAs may not in turn issue other CA certificates | |
| # though they can still issue end entity certificates. | |
| # 3) pathlength == 0 means a limit of 0 is requested; | |
| # this is the default for an intermediate CA, which means it can not issue | |
| # CA certificates though it can still issue end entity certificates. | |
| ########################################################################### | |
| csr: | |
| cn: ca-org1 | |
| names: | |
| - C: US | |
| ST: "New York" | |
| L: "New York" | |
| O: ca-org1 | |
| OU: ca-org1 | |
| hosts: | |
| - localhost | |
| - example.com | |
| - ca-org1 | |
| ca: | |
| expiry: 131400h | |
| pathlength: 1 | |
| ############################################################################# | |
| # BCCSP (BlockChain Crypto Service Provider) section is used to select which | |
| # crypto library implementation to use | |
| ############################################################################# | |
| bccsp: | |
| default: SW | |
| sw: | |
| hash: SHA2 | |
| security: 256 | |
| filekeystore: | |
| # The directory used for the software file-based keystore | |
| keystore: msp/keystore | |
| ############################################################################# | |
| # Multi CA section | |
| # | |
| # Each Fabric CA server contains one CA by default. This section is used | |
| # to configure multiple CAs in a single server. | |
| # | |
| # 1) --cacount <number-of-CAs> | |
| # Automatically generate <number-of-CAs> non-default CAs. The names of these | |
| # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs> | |
| # This is particularly useful in a development environment to quickly set up | |
| # multiple CAs. Note that, this config option is not applicable to intermediate CA server | |
| # i.e., Fabric CA server that is started with intermediate.parentserver.url config | |
| # option (-u command line option) | |
| # | |
| # 2) --cafiles <CA-config-files> | |
| # For each CA config file in the list, generate a separate signing CA. Each CA | |
| # config file in this list MAY contain all of the same elements as are found in | |
| # the server config file except port, debug, and tls sections. | |
| # | |
| # Examples: | |
| # fabric-ca-server start -b admin:adminpw --cacount 2 | |
| # | |
| # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml | |
| # --cafiles ca/ca2/fabric-ca-server-config.yaml | |
| # | |
| ############################################################################# | |
| cacount: | |
| cafiles: | |
| ############################################################################# | |
| # Intermediate CA section | |
| # | |
| # The relationship between servers and CAs is as follows: | |
| # 1) A single server process may contain or function as one or more CAs. | |
| # This is configured by the "Multi CA section" above. | |
| # 2) Each CA is either a root CA or an intermediate CA. | |
| # 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. | |
| # | |
| # This section pertains to configuration of #2 and #3. | |
| # If the "intermediate.parentserver.url" property is set, | |
| # then this is an intermediate CA with the specified parent | |
| # CA. | |
| # | |
| # parentserver section | |
| # url - The URL of the parent server | |
| # caname - Name of the CA to enroll within the server | |
| # | |
| # enrollment section used to enroll intermediate CA with parent CA | |
| # profile - Name of the signing profile to use in issuing the certificate | |
| # label - Label to use in HSM operations | |
| # | |
| # tls section for secure socket connection | |
| # certfiles - PEM-encoded list of trusted root certificate files | |
| # client: | |
| # certfile - PEM-encoded certificate file for when client authentication | |
| # is enabled on server | |
| # keyfile - PEM-encoded key file for when client authentication | |
| # is enabled on server | |
| ############################################################################# | |
| intermediate: | |
| parentserver: | |
| url: | |
| caname: | |
| enrollment: | |
| hosts: | |
| profile: | |
| label: | |
| tls: | |
| certfiles: | |
| client: | |
| certfile: | |
| keyfile: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment