> For the complete documentation index, see [llms.txt](https://docs.catalyx.solutions/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.catalyx.solutions/catalyx-blockchain-manager/hyperledger-fabric/version-2.4/network-and-node-management/certificate-uthority.md). # Certificate uthority ## What is a Certificate Authority (CA)? **Certificate Authorities (CA)** issue digital certificates that identify users or authorize user activity in the network. Being a permissioned protocol, every actor in the Hyperledger Fabric network needs a specific identity from an authorized entity. Digital certificates issued by a CA make this possible. Encryption keys allow users to sign their transactions digitally, while digital certificates provide identity on the network. A CA issues participants with digital certificates of the X.509 standard. See more information in the [Hyperledger Fabric documentation](https://hyperledger-fabric.readthedocs.io/en/release-2.2/identity/identity.html#certificate-authorities). For an identity to be verifiable, it must come from a trusted authority. A [Membership Service Provider (MSP)](broken://pages/6c4372d218492584222726bb8b117a6b73c116b6) is that trusted authority in Hyperledger Fabric. ## What are Root and Intermediate CAs? **Root CAs** contain a self-signed root certificate. **Intermediate CAs** have their certificates issued by the root CA or another intermediate authority, creating a chain of trust. If an intermediate CA is compromised, only a small number of identities issued by that CA would be exposed. If the root CA is compromised, all network identities will be compromised. See [chain of trust details](https://hyperledger-fabric.readthedocs.io/en/release-2.2/identity/identity.html?highlight=ca#root-cas-intermediate-cas-and-chains-of-trust). ## How Do I Create a CA? To create a full functioning CA within the network: {% stepper %} {% step %} **Create a CA** Go to the **CA** tab and click the **Create CA** button.

**Step 1** — Provide a CA name (required). **Step 2** — Fill in the general information: * Choose a CA type * Provide the CA admin ID and password {% hint style="info" %} You will need to provide the same CA admin credentials later when [enrolling the CA admin](#how-do-i-enroll-an-admin-identity). {% endhint %} **Step 3** — Customize CA details (predefined values can be used): * Enable debug logs if needed * Enable TLS if required * Choose the CA image {% hint style="info" %} Using a predefined image is recommended for compatibility. If you use an image from a private repository, specify an `imagePullSecret`. You can create an `imagePullSecret` in your Kubernetes cluster with the label `"app.kubernetes.io/name": "image-pull-secret"`. {% endhint %} **Resources allocation:** * Requested CPU, CPU limit, Requested memory (MB), Memory limit (MB), Storage size * Add custom environment variables if needed **Step 4** — Customize the CSR (certificate signing request): * Provide distinguished names (Country, Locality, Organization, Organizational Unit, State or Province) if needed * Customize path length and root CA expiry **Step 5** — Customize signing options — these values define expiry of certificates for intermediate CAs, identities, and TLS that will be enrolled with this CA. After clicking **Create**, the CA node appears in the CAs list. {% endstep %} {% step %} **Sign an Intermediate CA (if applicable)** After creation, the intermediate CA has the "Waiting for certificate" status and cannot perform functions until it has a signed certificate. {% stepper %} {% step %} **Export the CSR** Go to the intermediate CA's details page, click **Manage request**, then **Copy** or **Download**.

{% endstep %} {% step %} **Register an identity for the intermediate CA** Go to the parent CA, open the **Identities** tab, click **Add identity**. Provide the same name as the intermediate CA, choose type **Client**, select **Intermediate CA**, and click **Register**.

{% endstep %} {% step %} **Enroll the identity (sign the CSR)** Click the **Sign CSR** button. Provide the identity name and password, upload or paste the CSR, then click **Sign CSR**.

{% endstep %} {% step %} **Copy the parent CA's certificate**

{% endstep %} {% step %} **Upload the certificate to the intermediate CA** Open the **Manage CSR** window from the intermediate CA page. Upload or paste the certificate and add the parent CA's certificate.

{% hint style="warning" %} If the parent CA was also an intermediate CA, you need to add all the intermediate certificates and the root certificate of the chain of trust. {% endhint %} {% hint style="info" %} If you want to sign your intermediate certificate by an external CA, skip steps 2 and 3 above and follow the external CA's signing procedure instead. {% endhint %} {% endstep %} {% endstepper %} {% endstep %} {% step %} **Enroll an Admin Identity** Even though the node is up and running, you need to enroll the CA admin identity using the credentials you provided during CA creation. You can check the status by the "No CA admin" label.

* Go to the CA page and click the **No CA admin** button, or click on the CA and then click **Enroll CA admin**. * Provide the same credentials (CA admin ID and password) as entered during CA creation and submit. After successful enrollment, you can register, enroll, and delete identities. {% endstep %} {% endstepper %} ## CA Node States

Possible CA node states

| State | Description | | --------------------------- | ------------------------------------------------------------ | | **Pending** | A node is starting, or awaiting Kubernetes cluster expansion | | **Running** | A node is successfully created and ready to use | | **Terminating** | The user has initiated removal of the node | | **Failed** | A node was unable to start (e.g., exhausted resources) | | **Unknown** | A node's status could not be obtained | | **Waiting for certificate** | CA is created but needs a certificate (intermediate CA only) |

## CA Details Clicking on a CA opens a details window divided into five sections: ### General Information View the CA's URL, certificates, signing options, etc. Available actions: * Restart CA * Delete CA * Edit CA (change image, resource allocation, environment variables, signing options, debug mode)

### Variables View and manage environment variables.

### Identities Displays all identities issued by this CA. Each identity shows: ID, Type, Alternative names, Certificate validity period.

{% hint style="danger" %} Delete identities carefully, especially CA admin identities. If you delete your admin identity you will lose access to the CA's identity management. {% endhint %} ### Wallet A wallet contains the CA admin identity that Catalyst Blockchain Manager uses to register and enroll identities. This identity is automatically added after enrolling.

{% hint style="danger" %} If you delete the CA admin identity from the wallet, you will not be able to operate identities until you re-enroll the admin identity. {% endhint %} ### Events and Logs View events and logs for the CA node. Logs can be filtered by text and/or level.

## How to Create an Identity? Creating an identity consists of **registering** an identity and **enrolling** an identity. {% hint style="info" %} If you want to register and/or enroll identities using Hyperledger Fabric SDK instead of the UI, you first need to register a CA admin identity using the UI and then enroll this identity on your business application side. {% endhint %} To register or/and enroll an identity: 1. Go to the **CAs** tab and click on the CA you want to use. 2. Go to the **Identities** tab. 3. Click **Add identity**. 4. Provide the name and password for the identity. 5. Select a type of identity (client, peer, or orderer). {% hint style="info" %} Select the appropriate identity type when creating an identity for a peer or orderer. {% endhint %} 6. Select **CA Admin** if you want the identity to operate the CA. 7. Select **Intermediate CA** if you are registering an identity for an intermediate CA. 8. Select **Enroll identity** if needed.

{% hint style="info" %} You can always enroll a registered identity later using the **Enroll identity** icon. Registered (but not yet enrolled) identities appear in the identities list with an "Enroll identity" icon and a disabled "Certificate" icon. {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.catalyx.solutions/catalyx-blockchain-manager/hyperledger-fabric/version-2.4/network-and-node-management/certificate-uthority.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.