Help Center/ Blockchain Service/ User Guide (ME-Abu Dhabi Region)/ FAQs/ BCS FAQs/ Instance Management/ Service Usage/ How Can I Obtain Private Keys and Certificates for Enhanced Hyperledger Fabric Blockchains?
Updated on 2023-03-02 GMT+08:00

How Can I Obtain Private Keys and Certificates for Enhanced Hyperledger Fabric Blockchains?

Download the private keys and certificates on the BCS console or generate them using OpenSSL.

  • To obtain the private key and certificate of a single user, download them on the BCS console.
    1. Log in to the BCS console.
    2. In the navigation pane on the left, click Instance Management. Click the Enhanced Hyperledger Fabric tab and click an instance to view its details.
    3. In the Blockchain Organizations area, click to download the user certificate.

    4. Decompress the downloaded user certificate. The msp folder contains the user private key (keystore) and certificate (signcerts), as shown in the following figure.
      Figure 1 File directory
  • To generate the private keys and certificates of multiple users, use OpenSSL.
    1. Download the CA certificates and private keys.
      1. Log in to the BCS console.
      2. In the navigation pane on the left, click Instance Management. Click the Enhanced Hyperledger Fabric tab and click an instance to view its details.
      3. In the Blockchain Organizations area, click to download the CA certificate.

      4. Decompress the downloaded CA certificate to obtain the following files:
        Figure 2 Decompressed files
    2. Generate a new ECC private key.
      1. Generate a private key with prime256v1.
        openssl ecparam -name prime256v1 -genkey -out user-key_.pem
      2. Convert the key format to PKCS#8.
        openssl pkcs8 -topk8 -nocrypt -in user-key_.pem -out user-key
    3. Generate a certificate request file.
      openssl req -new -key user-key -out user-csr.pem
    4. CA issues the certificate.
      openssl x509 -req -in user-csr.pem -out user-cert.pem -CA ca.organization-cert.pem -CAkey organization_sk -CAcreateserial -days 3650
    5. A CA-signed certificate file is user-cert.pem, and the corresponding private key is user-key.