Reputation: 480
What is the purpose of Intermediate CAs in Hyperledger Fabric
Background:
Fabric documentation says that MSP optionally might have a folder with Intermediate CAs (ICA) as shown below.
Question:
What is the purpose of having this folder? From what I understand each ICA cert is signed with root CA cert, and root CA cert is added to MSP configuration. So it seems that even if fabric MSP does not have folder with ICA it anyway has means to validate the incoming request (because it has root cert.)
I may assume that having ICA might be used not for validation but for some configuration and giving different roles to identities signed by different ICAs, but it is vague for me how exactly it can be used.
Documentation:
Here is related part of Hyperledger Fabric documentation:
Intermediate CAs: This folder contains a list of X.509 certificates of the Intermediate CAs trusted by this organization. Each certificate must be signed by one of the Root CAs in the MSP or by an Intermediate CA whose issuing CA chain ultimately leads back to a trusted Root CA.
An intermediate CA may represent a different subdivision of the organization (like ORG1-MANUFACTURING and ORG1-DISTRIBUTION do for ORG1), or the organization itself (as may be the case if a commercial CA is leveraged for the organization’s identity management). In the latter case intermediate CAs can be used to represent organization subdivisions. Here you may find more information on best practices for MSP configuration. Notice, that it is possible to have a functioning network that does not have an Intermediate CA, in which case this folder would be empty.
Like the Root CA folder, this folder defines the CAs from which certificates must be issued to be considered members of the organization.
Upvotes: 1
Views: 514
Answers (1)
Reputation: 1644
One of the primary reasons that I can think of setting up an intermediate CA is to protect your root of trust. Your organization or sub organization may be allocated a certificate of identity that you want to protect dearly. So, you safe guard it by deriving/generating one or more intermediate certificates and setting up the corresponding CAs so that your root certificate can stay in a safe zone (say DMZ) and you can stil obtain the benefits of verification & signing using your intermediate certificates and CAs. Verification would still remain unaffected as your intermediate certs and CAs chain to the single root of trust from where it was issued.
Upvotes: 1
Related Questions
- What is the difference between MSP and Fabric CA?
- Using non-Fabric CA as a parent of Fabric CAs
- Configuring dual-headed CA
- hyperledger fabric .what are the uses of all the different certificates generated by cryptogen
- [hyperledger-fabric]: Channel and Consortium changes
- CAs,Enrollment,Registration for HyperLedger Fabric for multi-organizational.
- Hyperledger Fabric Ecert's term
- How to build intermediate CA server detailly using fabric ca?
- Hyperledger Fabric: What's the relationship between MSP and Fabric CA
- I don't know why CA should exist