Manage Certificates

This topic contains information about how to manage your network’s certificates.

Typical Workflows to Manage Certificates

Here are the common tasks for managing your network’s certificates.

Adding Organizations to the Network

You must be an administrator to perform these tasks.

Task Description More Information
Export or prepare an organization's certificates The organization that wants to join the network either outputs or writes its certificates file and gives it to the founder.

Export Certificates

Create a Fabric Organization's Certificates File

Create an Organization's Third-Party Certificates File

Import member certificates The founder imports the organization's certificates file to add the organization to the network. Import Certificates to Add Organizations to the Network
View certificates The founder can view and manage the network’s certificates. View and Manage Certificates

Revoking Certificates

You must be an administrator to perform these tasks.

Task Description More Information
Decide which certificates to revoke View the certificates on your system to determine which ones to revoke to keep the network secure. View and Manage Certificates
Select the certificates to revoke Revoke the certificates in your instance and create the CRL. Revoke Certificates
Prepare and distribute the CRL Export the CRL, send it to other network organizations, and other organizations import it. Export and Import the CRL
Apply CRL Apply CRL to ensure that clients with revoked certificates can’t access channels. Apply the CRL

Export Certificates

Founders and participant organizations must import and export certificate JSON files to create the network.

Note the following information:
  • For the founder to add a participant organization to the blockchain network, the participant must export its certificates file and make it available to the founder. The founder then uploads the certificates file to add the participant organization to the network.

  • The certificate export file contains admincerts, cacerts, and tlscacerts.

  • You might need to export certificates for blockchain or application developers. For example, a client application needs the TLS certificate to interact with peers or orderers.

For information about writing certificate files required to add Hyperledger Fabric or Third-Party organizations to the network, see Extend the Network.

  1. Go to the console and select the Network tab.
  2. In the Network tab, go to the Organizations table, locate the member that you want to export certificates for, and click its More Actions button.
  3. Click Export Certificates.
    Note that files exported by the console and REST APIs are only compatible for import with the same component. That is you can't successfully use the REST API to import an export file created with the console. Likewise, you can't successfully use the console to import an export file created with the REST API.
  4. Specify where to save the file. Click OK to save the certificates file.
  5. Send the certificates JSON file to the founder for import. See Import Certificates to Add Organizations to the Network.

Import Certificates to Add Organizations to the Network

To add an organization to the network, the founder must import a certificates file that was exported or prepared by the organization that wants to join the network.

You can import certificates for the following organization types.
Type Description
Oracle Blockchain Platform Participant Organization You can import a participant organization into a Oracle Blockchain Platform network. You upload the certificates that the participant organization exported from the console and sent to you.

For information about creating certificates for upload and a list of the other steps that you need to perform to successfully set up a participant organization on the network, see Export Certificates.

Hyperledger Fabric Organization You can import a Hyperledger Fabric organization into an Oracle Blockchain Platform network. To successfully upload a Fabric organization’s certificates file, you must modify the certificates file to replace all instances of \n with the newline character.

See Typical Workflow to Join a Fabric Organization to an Oracle Blockchain Platform Network.

Third-Party Certificate Organization You can import an organization that is using certificates generated from a third-party CA server. To successfully upload a third-party organization’s certificates file, you must modify the certificates file to replace all instances of \n with the newline character.

See Typical Workflow to Join an Organization with Third-Party Certificates to an Oracle Blockchain Platform Network.

You must be an administrator to import certificates.
  1. Go to the console and select the Network tab.
  2. In the Network tab, click Add Organizations. The Add Organizations page is displayed.
    Note that files exported by the console and REST APIs are only compatible for import with the same component. That is you can't successfully use the REST API to import an export file created with the console. Likewise, you can't successfully use the console to import an export file created with the REST API.
  3. Click Upload Organization Certificates. The File Upload dialog is displayed.
  4. Browse for and select the JSON file containing the certificate information for the organization you want to add to the network. Usually this file is named certs.json. Click Open.
  5. (Optional) Click the plus (+) icon to locate and upload another organization’s certificate information.
  6. Click Add. The organizations that you added are displayed in the Organization table.
    Note the following information for Oracle Blockchain Platform participant, Hyperledger Fabric, and third-party certificate organizations. Even though the founder uploaded the certificate information, the added organization can’t use the ordering service to communicate on the network until it imports the founder’s ordering service settings. The founder must export its ordering service settings and give the resulting file to the joining organizations for import. See one of the following:

What's a Certificate Revocation List?

You use a certificate revocation list (CRL) to help manage the certificates throughout your network.

A CRL is a list of digital certificates that the issuing Certificate Authority (CA) has revoked before their scheduled expiration date and should no longer be trusted and used on the network. For example, you should revoke any certificates that have been lost, stolen, or compromised.

After you use the Manage Certificates functionality to revoke certificates for users, Oracle Blockchain Platform creates the CRL. To ensure that the certificates are revoked throughout the network, you’ll need to:

  • Use the Export CRL to output the CRL file. After you send this CRL to the other members in the network, they must use the Import CRL functionality to import the CRL to update the certificates in their instances. See Revoke Certificates.
  • Use the Apply CRL functionality after you join peers to a channel created by another network member. Apply CRL prevents clients with revoked certificates from accessing the channel. See Apply the CRL.

View and Manage Certificates

Use the console to view and manage the user certificates in your instance and any of the certificates you imported when building the network.

  1. Go to the console and select the Network tab.
  2. In the Network tab, locate your organization’s ID and click its More Actions button. Select Manage Client Certificates.
    Note that the Certificate Summary table will be empty until you add users to your instance. Also, the administrator’s certificate doesn’t display in this table. This is to prevent you from accidentally revoking the administrator’s certificate.
    Organizations with third-party certificates or Hyperledger Fabric organization with revoked certificates won't display in this table. In such cases, you must use the native Hyperledger Fabric CLI or SDK to import the organization's certificate revocation list (CRL) file.
    The Certificates Summary dialog is displayed and shows a list of the certificates in your instance.
  3. As needed, perform any of the following tasks:
    • Revoke certificates. See Revoke Certificates.
    • If you’ve revoked certificates and are working in a network with multiple members, then export a CRL and give it to the other members of the network for import into their instances. See Export and Import the CRL.
    • If you’ve revoked certificates and are working in a network with multiple members, then use Apply CRL after you join peers to a channel created by another network member. Apply CRL prevents clients with revoked certificates from accessing the channel. See Apply the CRL.

Revoke Certificates

An organization can revoke certificates for any of its users. To ensure that the network remains secure, you should revoke certificates in case they’re lost, stolen, or compromised.

You must be an administrator to perform this task.
  1. Go to the console and select the Network tab.
  2. In the Network tab, locate your organization’s ID and click its More Actions button. Select Manage Client Certificates.
    The Certificates Summary dialog is displayed.
  3. In the Certificates Summary dialog, locate and select the IDs of the users that you want to revoke certificates for.
  4. Click Revoke and confirm that you want to permanently revoke certificates for the selected users.
    The users with revoked certificate display in the table and are added to the CRL.
  5. If you’re working in a network with other members, then to ensure that their revoked certificates are cleaned up across the network, you must do the following:
    • Export the CRL and give it to the other members of the network for import into their instances. See Export and Import the CRL.
    • If you’re working in a network with multiple members, then apply the CRL after you join peers to a channel created by another network member. Apply CRL prevents clients with revoked certificates from accessing the channel. See Apply the CRL.

Export and Import the CRL

If you're working in a network, then you must export and import CRLs as necessary to ensure that users are revoked on all network participant instances.

You must revoke certificates before you can exporting a CRL. See Revoke Certificates.
You must be an administrator to perform this task.
  1. Go to your console and select the Network tab.
  2. In the Network tab, locate your organization’s ID and click its More Actions button. Select Export Certificate Revoke List.
    Note that files exported by the console and REST APIs are only compatible for import with the same component. That is you can't successfully use the REST API to import an export file created with the console. Likewise, you can't successfully use the console to import an export file created with the REST API.
  3. Specify the location where you want to save the CRL JSON file. Click OK.
  4. Send the CRL JSON file to the other members in your network, as required. If you’re a founder, then send the file to all participants in the network. If you’re a participant, then send the file to the founder.
  5. To import the file, go to the Network tab, locate your organization’s ID, and click its More Actions button. Select Import Certificate Revoke List.
  6. In the Import Remote CRL dialog, click Import Remote CRL and browse for and select the CRL JSON file. Click Import.
    Note that files exported by the console and REST APIs are only compatible for import with the same component. That is you can't successfully use the REST API to import an export file created with the console. Likewise, you can't successfully use the console to import an export file created with the REST API.
  7. If you’re working in a network with multiple members, then apply the CRL after you join peers to a channel created by another network member. Apply CRL prevents clients with revoked certificates from accessing the channel. See Apply the CRL.

Apply the CRL

If you're working in a network, then you must apply the CRL after you join peers to a channel created by another network member. Apply CRL prevents members with revoked certificates from accessing the channel.

You must do the following tasks before applying the CRL:
You must be an administrator to perform this task.
  1. Go to the console and select the Network tab.
  2. In the Network tab, locate your organization’s ID and click its More Actions button. Select Manage Client Certificates.
    The Certificates Summary dialog is displayed.
  3. Click the Apply CRL button and confirm that you want to apply the CRL.