github.com/kchristidis/fabric@v1.0.4-0.20171028114726-837acd08cde1/docs/source/Setup/TLSSetup.rst (about) 1 Steps to enable TLS for all sever (ECA , ACA , TLSCA , TCA) and between ACA client to server communications. 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3 4 1. Go to **memebersrvc.yaml** file under the fabric/membersrvc directory 5 and edit security section, that is: 6 7 :: 8 9 security: 10 serverhostoverride: 11 tls_enabled: false 12 client: 13 cert: 14 file: 15 16 To enable TLS between the ACA client and the rest of the CA Services 17 set the ``tls_enbabled`` flag to ``true``. 18 19 2. Next, set **serverhostoverride** field to match **CN** (Common Name) 20 of TLS Server certificate. To extract the Common Name from TLS 21 Server's certificate, for example using OpenSSL, you can use the 22 following command: 23 24 :: 25 26 openssl x509 -in <<certificate.crt -text -noout 27 28 where ``certficate.crt`` is the Server Certificate. If you have openssl 29 installed on the machine and everything went well, you should expect an 30 output of the form: 31 32 :: 33 34 Certificate: 35 Data: 36 Version: 3 (0x2) 37 Serial Number: 38 4f:39:0f:ac:7b:ce:2b:9f:28:57:52:4a:bb:94:a6:e5:9c:69:99:56 39 Signature Algorithm: ecdsa-with-SHA256 40 Issuer: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW 41 Validity 42 Not Before: Aug 24 16:27:00 2016 GMT 43 Not After : Aug 24 16:27:00 2017 GMT 44 **Subject**: C=US, ST=California, L=San Francisco, O=example.com, **CN=www.example.com** 45 Subject Public Key Info: 46 Public Key Algorithm: id-ecPublicKey 47 EC Public Key: 48 pub: 49 04:38:d2:62:75:4a:18:d9:f7:fe:6a:e7:df:32:e2: 50 15:0f:01:9c:1b:4f:dc:ff:22:97:5c:2a:d9:5c:c3: 51 a3:ef:e3:90:3b:3c:8a:d2:45:b1:60:11:94:5e:a7: 52 51:e8:e5:5d:be:38:39:da:66:e1:99:46:0c:d3:45: 53 3d:76:7e:b7:8c 54 ASN1 OID: prime256v1 55 X509v3 extensions: 56 X509v3 Key Usage: critical 57 Digital Signature, Key Encipherment 58 X509v3 Extended Key Usage: 59 TLS Web Server Authentication 60 X509v3 Basic Constraints: critical 61 CA:FALSE 62 X509v3 Subject Key Identifier: 63 E8:9C:86:81:59:D4:D7:76:43:C7:2E:92:88:30:1B:30:A5:B3:A4:5C 64 X509v3 Authority Key Identifier: 65 keyid:5E:33:AC:E0:9D:B9:F9:71:5F:1F:96:B5:84:85:35:BE:89:8C:35:C2 66 67 X509v3 Subject Alternative Name: 68 DNS:www.example.com 69 Signature Algorithm: ecdsa-with-SHA256 70 30:45:02:21:00:9f:7e:93:93:af:3d:cf:7b:77:f0:55:2d:57: 71 9d:a9:bf:b0:8c:9c:2e:cf:b2:b4:d8:de:f3:79:c7:66:7c:e7: 72 4d:02:20:7e:9b:36:d1:3a:df:e4:d2:d7:3b:9d:73:c7:61:a8: 73 2e:a5:b1:23:10:65:81:96:b1:3b:79:d4:a6:12:fe:f2:69 74 75 Now you can use that CN value (**www.example.com** above, for example) 76 from the output and use it in the **serverhostoverride** field (under 77 the security section of the membersrvc.yaml file) 78 79 3. Last, make sure that path to the corresponding TLS Server Certificate 80 is specified under ``security.client.cert.file`` 81 82 .. Licensed under Creative Commons Attribution 4.0 International License 83 https://creativecommons.org/licenses/by/4.0/ 84