1

I am trying to setup a Fabric Root CA and intermediate CA.

Evironment is as follows using go language, version 1.7.1 .

Farbic root ca Configuration is as follows for Caconstanint for Allowing this Ca to sign other intermeridate certs. 

signing:
default:
  usage:
    - digital signature
  expiry: 8760h
profiles:
  ca:
     usage:
       - cert sign
     expiry: 43800h
     caconstraint:
       isca: true
       maxpathlen: 1

Under the CSR section for the pathlength 

  csr:
   cn: fabric-root.example.com
   names:
      - C: US
        ST: "North Carolina"
        L: cary
        O: Hyperledger
        OU: Fabric
   hosts:
     - fabric-ca-root.example.com
     - fabric-ca-root
     - fabric-root
   ca:
      expiry: 131400h
      pathlength: 1

Verified the cert for these values using go script. https://play.golang.org/p/qoC7PIAmuo0

it has MaxPathLen and MaxPathLenZero 1 false.

But still when CA intermediate service is enrolling I am getting this error from Cfssl library call on CA server as below. 

2018/02/16 12:19:39 [DEBUG] getUserAttrValue identity=fabric-int-ca-1.example.com, name=hf.IntermediateCA, value=true
2018/02/16 12:19:39 [ERROR] local signer policy disallows issuing CA certificate
2018/02/16 12:19:39 [ERROR] Enrollment failure: Failed signing: {"code":5300,"message":"Policy violation request"}

Please advice if any one had similar issue if you find a workaround ?

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Sri Gudavalli
  • 11
  • 1
  • you can see the solution in https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/deployguide/cadeploy.html#intermediate-ca-server-fails-to-start – jvea Feb 23 '21 at 12:45

2 Answers2

0

I found the issue. it was the configuration int he Intermendiate Ca that cause the issue in intermediate section under profile did not provide ca as defined in root ca. 

  profiles:
  ca:
     usage:
       - cert sign
     expiry: 43800h
     caconstraint:
       isca: true
       maxpathlen: 1

    intermediate:
  parentserver:
    url: https://fabric-ca-root.example.com:7054
    caname: fabric-root.example.com

  enrollment:
    hosts:
         - fabric-int-ca-1.example.com
         - fabric-int-ca-1
         - fabric-int-ca
    profile: ca
Sri Gudavalli
  • 11
  • 1
-1

In my case, i've just set maxpathlen and pathlength to 0.

Глеб Иодо
  • 36
  • 1