What is diffrence between enrolling and registering a certificate in Hyperledger fabric CA

Question

What exactly is difference between enrolling and registering a certificate in Hyperledger Fabric CA. I am new to cryptography and i am really confused about the working of Fabric CA. Also how are certificates generated via cryptogen is diffrent from certificates generated via Fabric CA.

Answer 1

The concept of first register(Saving username,password and other attributes in CA's DB) then registered identity can enroll to get certificates is the same in the latest version of Fabric CA as it was previously. Refer to the latest link: https://hyperledger-fabric.readthedocs.io/en/latest/deployment_guide_overview.html#step-four-use-the-ca-to-create-identities-and-msps

"Register and enroll an admin identity and create an MSP. After the CA that will be associated with an organization has been created, it can be used to first register a user and then enroll an identity (producing the certificate pair used by all entities on the network). In the first step, a username and password for the identity is assigned by the admin of the CA."

Answer 2

"Registration" is done by the CA admin. A username and password is assigned to an identity, along with attributes (will the identity be an admin or a node, for example?). This registration places the username and password, along with the relevant other information about the identity, in the database of the CA. No certificates have been generated at this point. The identity has simply been registered.

"Enrollment" is the process where certificates are created and given to the user of the identity. The username and password is given to this user out of band, and they use the name and password as part of a fabric-ca-client call to the CA. The public and private keys --- encoded with the relevant attributes registered with the CA --- are then generated.

The reason for the separate between registration and enrollment is to ensure that only the user of an identity receives their private key.

The certificates created by a CA are identical to those created by cryptogen --- an x.509 certificate is an x.509 certificate --- but cryptogen is a tool for quickly creating certs in a test environment, not a true method for creating certificates for anything resembling production.

Answer 3

Registering identity means adding its details in Fabric CA.

Enrolling means process when registered identity connects to CA and sends Certificate Signing Request (CSR) to it. CA checks if the identity is registered and performs some other validations, if checks are successful then it returns signed certificate to the identity. Since the certificate is signed by CA trusted by blockchain network, the identity has now means to interact with the network using this certificate.

So, to make the identity being able to interact with the network it must pass two steps in this particular sequence:

1. Be registered on CA
2. Be enrolled

Admin is preregistered in CA using when it is started

fabric-ca-server start -b admin:adminpw

The details are here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html

also you can refer to source

Answer 4

So from what i understand when you "enrol" an identity you get the certificates and private keys for it. When you "register" the identity, you are simply creating the user name and password for that identity with the CA server.

The certificates that the cryptogen tool generate are not any different to the ones generated by the Fabric CA, the cryptogen tool is there for convenience in development. It should not be used in a live / production environment. Under the hood the cryptogen tool actually spins up a fabric ca server locally.

Here is a link to the latest documentation for Fabric CA:

https://hyperledger-fabric-ca.readthedocs.io/en/latest/