Clarification about TLS certificates to use configuring CAs

Question

Clarification about TLS certificates to use configuring CAs

miguelaeh opened this issue 3 years ago · 2 comments

Hi,
I would like to ask for clarification about the following.
I deployed a TLS CA, an Organization CA, and an Intermediate CA, each one in different machines.
When creating the TLS root certificate, initially I set the --csr.hosts to the TLS CA hostname in the enroll command for the Organization CA and intermediate CA admin users. Then, following the guide, when configuring the Organization CA, I used the root TLS CA certificate in --tls.certfiles when enrolling the admin into the Organization CA and the ORganization CA hostname csr.hosts in the enroll command.
That, as probably expected, ended in an error like:

 x509: certificate is valid for tls_ca, not org_ca

There are two ways of solving that error.

If we strictly following the tutorial, to fix that error, I would need to add the Organization CA hostname (apart from the TLS CA hostname) when enrolling the Organization admin user into the TLS CA to the csr.hosts list. I guess that's the way to fix it following the tutorial because it forces you to use the TLS CA root certificate when enrolling the Organization admin user into the Organization CA. So, basically, the TLS root CA cert will have been generated for the Organization CA host apart from the TLS CA host. Nevertheless, when generating that certificate, the docs say to add only the TLS CA host.
The second way is to use only the TLS CA host for the TLS CA root cert (in csr.hosts), and when enrolling the Organization admin into the TLS CA, use as csr.hosts the Organization CA hostname. That way, when enrolling in the Organization CA the admin user, you can use its TLS certificate (the one generated for the Organization CA and copied from the TLS CA to the Organization CA machine) instead of the TLS CA root certificate (the docs says to use the TLS CA root cert) as --tls.certfiles, and its hostname (the Organization CA hostname) in the csr.hosts parameter.

I tested both approaches, and both worked. Could you please clarify which one should be used?

Thank you very much.

Answer 1 · 2021-10-18T02:37:21.000Z

@miguelaeh thanks for the detailed explanation.

The first way sounds correct. When you initially enroll for the Org CA TLS cert, you should specify the csr.hosts for where the Org CA will run. This is because the csr.hosts gets saved into the TLS cert as the Subject Alternative Name (SAN), and since this cert will be used as the Org CA TLS cert, at runtime it will need to match the host that serves the Org CA responses.

If there is confusion in the doc, we can use this issue to fix it.
Per your statement:

Nevertheless, when generating that certificate, the docs say to add only the TLS CA host.

I'm not seeing that in the doc, but if it does say that, I agree it should be fixed. Please copy and paste the exact sentence(s) that cause the confusion so that it can be fixed.

If I'm looking at the correct part of the doc, it says to run this command to enroll the Org CA TLS cert:

./fabric-ca-client enroll -d -u https://rcaadmin:rcaadminpw@my-machine.example.com:7054 --tls.certfiles tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --csr.hosts 'host1,*.example.com' --mspdir tls-ca/rcaadmin/msp

The section doesn't really explain what host to set the csr.hosts to. So I agree it should be added. I'm just not seeing where it is actually wrong.

BTW, later when you enroll identities against the Org CA itself, you do not need to pass csr.hosts at all, because those are not TLS certs, they are just identity certs which do not require SAN. I have in fact done a PR to clarify this part already, see
#255

Answer 2 · 2021-10-18T20:57:51.000Z

Hi @denyeart ,
Thank you very much for the fast reply and PR.
I checked the PR and it is more clear now. What you stated is what I was confused about:

BTW, later when you enroll identities against the Org CA itself, you do not need to pass csr.hosts at all, because those are not TLS certs.

About the exact sentence, you already changed it on the PR, it was:

 Update this parameter to include this hostname and ip address where this server is running,

Maybe I misunderstood the this word there, I assumed it was saying to add only the TLS CA host, since it does not talk about the rest, probably because the tutorial is done in a single machine.