Hyperledger Facric CA: Override Certificate Signing Request (CSR) section by ENV

Question

I want to overrride this section of the fabric-ca-server-config.yaml file by variables env:

csr:
  cn: fabric-ca-server
  names:
    - C: US
     ST: "North Carolina"
      L:
      O: Hyperledger
     OU: Fabric
  hosts:
    - host1.example.com
    - localhost
ca:
  expiry: 131400h
  pathlength: 1

For example I know that:

FABRIC_CA_SERVER_CSR_CN=fabric-ca-server is equivalent to csr.cn but csr.names?? csr.host??

Could it be?:

FABRIC_CA_SERVER_CSR_NAMES=C:US,ST:"North Carolina",L:,O:Hyperledger,OU:Fabric

Regards

Answer 1

TL;DR: You can't override the CSR with env. variables, but you can customize the CSR in the config file.

---

Long answer:

There are two issues going on here:

1) The error you are getting states that the configuration is looking for a map (which is how it is formatted in the fabric-ca-server-config.yaml file).

To create a map in a bash script variable, you need to declare the associative array:

declare -A FABRIC_CA_SERVER_CSR_NAMES=( \
    [C]="US" \
    [ST]="Texas" \
    [L]="" \
    [O]="TangoJLabs" \
    [OU]="testenvvar" \
)
export FABRIC_CA_SERVER_CSR_NAMES
echo ${FABRIC_CA_SERVER_CSR_NAMES[OU]}

2) However, environment variables can only be strings, so it does not appear possible to override the configuration CSR settings with environment variables. Something like FABRIC_CA_SERVER_CSR_NAMES_OU will not work because names: is a map, so there could be multiple OU entries.

The docs state:

If custom values for the CSR are required, you may customize the configuration file, delete the files specified by the ca.certfile and ca.keyfile configuration items, and then run the fabric-ca-server init -b admin:adminpw command again.

So, what I typically do is just create a minimal config file and copy it over to the CA container before running init. This seems to be enough (with the other sections taking default values):

registry:
  maxenrollments: -1
  identities:
     - name: mycompany-admin-ca
       pass: adminpw
       type: client
       affiliation: ""
       attrs:
          hf.Registrar.Roles: "*"
          hf.Registrar.DelegateRoles: "*"
          hf.Revoker: true
          hf.IntermediateCA: true
          hf.GenCRL: true
          hf.Registrar.Attributes: "*"
          hf.AffiliationMgr: true

affiliations:
  mycompany: []

csr:
   cn: mycompany-ca
   names:
      - C: US
        ST: Texas
        L:
        O: MyCompany
        OU: client
   hosts:
     - mycompany-ca
   ca:
      expiry: 131400h
      pathlength: 1

For some reason, if you include a custom fabric-ca-server-config.yaml file but exclude the registry: section, it does not register a bootstrap user, even if you use the command line -b option. So, if you include that registry: section, you therefore don't need the -b option when you run init.

You might also want to include the ca: section since you can force the created certificate to be saved to your custom name:

ca:
  name: mycompany-ca
  keyfile: /etc/hyperledger/fabric-ca-server/mycompany-ca-cert.key
  certfile: /etc/hyperledger/fabric-ca-server/mycompany-ca-cert.pem
  chainfile:

Also, before running init I would clean up your home directory - sometimes the default ca-cert.pem (and key) already exist and are not replaced:

rm $FABRIC_CA_SERVER_HOME/ca-cert.pem
rm -R $FABRIC_CA_SERVER_HOME/msp

Of course, after running init your key will be saved in the msp directory tree under:

msp
    └── keystore
        ├── {...}_sk

I typically move it to the home directory and rename it for convenience:

cp $FABRIC_CA_SERVER_HOME/msp/keystore/*_sk $FABRIC_CA_SERVER_HOME/mycompany-ca-cert.key