github.com/tenywen/fabric@v1.0.0-beta.0.20170620030522-a5b1ed380643/docs/source/msp-identity-validity-rules.rst (about) 1 As mentioned in MSP description, MSPs may be configured with a set of root 2 certificate authorities (rCAs), and optionally a set of intermediate 3 certificate authorities (iCAs). An MSP's iCA certificates must be signed 4 by **exactly one** of the MSP's rCAs or iCAs. 5 An MSP's configuration may contain a certificate revocation list, or CRL. 6 If any of the MSP's root certificate authorities are listed in the CRL, 7 then the MSP's configuration must not include any iCA that is also included 8 in the CRL, or the MSP setup will fail. 9 10 Each rCA is the root of a certification tree. That is, 11 each rCA may be the signer of the certificates of one or more iCAs, and these 12 iCAs will be the signer either of other iCAs or of user-certificates. 13 Here are a few examples:: 14 15 16 rCA1 rCA2 rCA3 17 / \ | | 18 iCA1 iCA2 iCA3 id 19 / \ | | 20 iCA11 iCA12 id id 21 | 22 id 23 24 The default MPS implementation accepts as valid identities X.509 certificates 25 signed by the appropriate authorities. In the diagram above, 26 only certificates signed by iCA11, iCA12, iCA2, iCA3 an rCA3 27 will be considered valid. Certificates signed by internal nodes will be rejected. 28 29 Notice that the validity of a certificate is also affected, in a similar 30 way, if one or more organizational units are specified in the MSP configuration. 31 Recall that an organizational unit is specified in an MSP configuration 32 as a pair of two values, say (parent-cert, ou-string) representing the 33 certificate authority that certifies that organisational unit, and the 34 actual organisational unit identifier, respectively. 35 If a certificate C is signed by an iCA or rCA 36 for which an organisational unit has been specified in the MSP configuration, 37 then C is considered valid if, among other requirements, it includes 38 ou-string as part of its OU field.