在生产中使用没有双向TLS的fabric-ca吗? [英] Use fabric-ca without mutual TLS in production?

问题描述

我想知道是否强烈建议不要在生产中使用没有相互TLS的fabric-ca.

I am wondering if it is strongly discouraged to use fabric-ca without mutual TLS in production.

我正计划运行一个光纤网络，在该网络中将自动添加许多对等点，应用程序和用户，并且将不使用加密源工具.

I am planning to operate a fabric network where a lot of peers, applications and users will be added automatically and the cryptogen tool will not be used.

相反，将使用第二个fabric-ca颁发TLS证书.这些证书将用于与MSP fabric-ca和对等方进行客户端身份验证.

Instead a second fabric-ca will be used to issue TLS certificates. Those certificates will be used for client authentication with the MSP fabric-ca and the peers etc.

TLS架构-ca不执行客户端身份验证，因为新用户将具有enrollmentID +秘密但没有客户端证书.

The TLS fabric-ca does not perform client authentication because new users will have enrollmentID+secret but no client certificates.

我在此 UML序列图中说明了注册过程.

I Illustrated the registration process in this UML sequence diagram.

图中的用户"旨在表示同级，应用程序或用户.

The "User" in the diagram is meant to represent peers, applications or users.

推荐答案

除非从带外分发客户端证书，否则您不能要求本应颁发客户端TLS证书的实际CA服务器中的相互/客户端TLS.我想你不想做).对于颁发TLS证书而不要求客户端/双向TLS身份验证的CA来说，这是完全可以的.

You can't require mutual / client TLS from the actual CA server that's supposed to issue the client TLS certificates unless you distribute the client certs out of band (which I assume you don't want to do). It's perfectly fine for the CA which is issuing TLS certificates NOT to require client / mutual TLS authentication.

这篇关于在生产中使用没有双向TLS的fabric-ca吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！