Reputation: 1118
What is difference between admincerts and signcerts in hyperledge Fabric msp
From Fabric MSP , admincert:
1.a folder admincerts to include PEM files each corresponding to an administrator certificate
signcerts:
a folder signcerts to include a PEM file with the node’s X.509 certificate
Upvotes: 1
Views: 1693
Answers (2)
Reputation: 12053
There are really two "types" of MSPs:
- An MSP which is used as a signing identity
For the default MSP type (X509-based), the signing identity uses the crypto material in the keystore (private key) and signcerts (X509 public key which matches the keystore private key). Peers and orderers use their "local MSP" for signing; examples would be peers signing endorsement responses and orderers signing blocks (deliver responses)
- An MSP which is used to verify signatures / identities
In this case, when a node needs to verify the signature (e.g. a peer verifying the signature of an endorsement proposal from a client), it will extract the MSPID from the creator field in the message it receives, look to see if it has a copy of the MSP for that MSPID.
If the role requires MEMBER, it then uses the "cacerts" / "intermediatecerts" content to verify that the identity was indeed issued by that MSP. It then uses the public key which is also in the creator field to validate the signature.
In the case where an ADMIN role is required, it actually checks to make sure that the creator public key is an exact match for one of the X509 public certs in the "admincerts" folder.
NOTE: There is technically no difference between an "admin" cert and a "member" cert. An identity becomes an "ADMIN" role by simply adding the public certificate to the "admincerts" folder of the MSP.
NOTE: The MSPs for all members of a channel are distributed to all the peers that are part of a channel via config blocks. The orderer also has the MSPs for all members of each channel / consortium as well.
Upvotes: 9
Reputation: 4037
The admin certificates are used to administer the peer (installing/instantiating chaincode, creating channels, etc) and the signcerts are for the endorsing function. They are independent to preserve a separation of concerns.
Upvotes: 0
Related Questions
- What is the difference between MSP and Fabric CA?
- How do the different MSP roles (member, admin, peer, client) affect Hyperledger Fabric Endorsement policies?
- Hyperledger Fabric - implicitMeta vs signature
- What are the different roles in Hyperledger Fabric?
- Admin & users created by "CA" vs Admin & users created by "cryptogen" in Hyperledger Fabric
- Understanding Various Certificates in Hyperledger fabric
- Difference between Fabric CA server and CA Client
- How does an end user get their certificates in Hyperledger Fabric?
- Hyperledger Fabric - How CA works
- What is the difference between roles, affiliations and attributes?