How to implement Fabric-CA or third party CA in hyperledger fabric

Question

I went through documentation on fabric-ca http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

I have below questions

1.When will be fabric-ca come into picture in hyperperledger for user authentication or in msp certs generation or in both

2. Can we use some other third party CA in place of fabric-ca

3. What should be the things to be kept in mind if we use some third party CA.

4. Is there any sample to understand it more(already went through balance-transfer)

Answer 1

1. fabric-ca comes into the picture for both authentication and MSP certs generation. The /enroll API requires basic authentication, and assuming success, will issue an enrollment certificate and populate the appropriate MSP directories.

2. You have the following choices when it comes to using a CA with fabric: a) Use fabric CA to function as a root CA and/or intermediate CA. b) Start fabric CA with an intermediate signing certificate which you get from an external CA. c) Don't use fabric CA at all and use an external CA completely. With a & b, the fabric CA server can function as its own user registry, or it can talk to an LDAP server as the user registry.

3) When using a 3rd party CA (#c above), you will need to think about how you want to do access control in chaincode. One option is based on the OU (Organizational Units) that a user's certificate has, which means the 3rd party CA will need to be able to restrict which OU values are issued to which users. When using the fabric CA server to issue certificates, you can use Attribute-Based Access Control (ABAC) to perform access control for chaincode.

4) There is a sample which is not merged yet at https://gerrit.hyperledger.org/r/#/c/13213/. See the README.md for a description of how to run the sample and an overview of how it works.