1. Using Oracle Blockchain Platform
  2. Manage the Organization and Network
  3. Manage Certificates

Manage Certificates

This topic contains information about how to manage your network’s certificates, including how to import and export certificates to set up your blockchain network, and how to manage and revoke certificates.

Typical Workflows to Manage Certificates

Here are the common tasks for managing your network’s certificates.

Adding Organizations to the Network

You must be an administrator to perform these tasks.

Task Description More Information
Export or prepare an organization's certificates The organization that wants to join the network either outputs or writes its certificates file and gives it to the founder.

Export Certificates
Import member certificates The founder imports the organization's certificates file to add the organization to the network. Import Certificates to Add Organizations to the Network
View certificates The founder can view and manage the network’s certificates. View and Manage Certificates

Revoking Certificates

You must be an administrator to perform these tasks.

Task Description More Information
Decide which certificates to revoke View the certificates on your system to determine which ones to revoke to keep the network secure. View and Manage Certificates
Select the certificates to revoke Revoke the certificates in your CA. Revoke Certificates
Apply CRL Generates and applies an updated CRL to ensure that clients with revoked certificates can’t access channels. Apply the CRL

Export Certificates

Founders and participant organizations must import and export certificate JSON files to create the network.

Note the following information:

  • For the founder to add a participant organization to the blockchain network, the participant must export its certificates file and make it available to the founder. The founder then uploads the certificates file to add the participant organization to the network.

  • The certificate export file contains admincerts, cacerts, and tlscacerts.

  • You might need to export certificates for blockchain or application developers. For example, a client application needs the TLS certificate to interact with peers or orderers.

For information about writing certificate files required to add Hyperledger Fabric or Third-Party organizations to the network, see Extend the Network.

  1. Go to the console and select the Network tab.
  2. In the Network tab, go to the Organizations table, locate the member that you want to export certificates for, and click its More Actions button.
  3. Click Export Certificates.
    Note that files exported by the console and REST APIs are only compatible for import with the same component. That is you can't successfully use the REST API to import an export file created with the console. Likewise, you can't successfully use the console to import an export file created with the REST API.
  4. Specify where to save the file. Click OK to save the certificates file.
  5. Send the certificates JSON file to the founder for import. See Import Certificates to Add Organizations to the Network.

Import Certificates to Add Organizations to the Network

To add an organization to the network, the founder must import a certificates file that was exported or prepared by the organization that wants to join the network.

You can import certificates for the following organization types.
Type Description
Oracle Blockchain Platform Participant Organization You can import a participant organization into a Oracle Blockchain Platform network. You upload the certificates that the participant organization exported from the console and sent to you.

For information about creating certificates for upload and a list of the other steps that you need to perform to successfully set up a participant organization on the network, see Join the Participant or Scaled-Out OSNs to the Founder's Ordering Service.

You must be an administrator to import certificates.
  1. Go to the console and select the Network tab.
  2. In the Network tab, click Add Organizations. The Add Organizations page is displayed.
    Note that files exported by the console and REST APIs are only compatible for import with the same component. That is you can't successfully use the REST API to import an export file created with the console. Likewise, you can't successfully use the console to import an export file created with the REST API.
  3. Click Upload Organization Certificates. The File Upload dialog is displayed.
  4. Browse for and select the JSON file containing the certificate information for the organization you want to add to the network. Usually this file is named certs.json. Click Open.
  5. (Optional) Click the plus (+) icon to locate and upload another organization’s certificate information.
  6. Click Add. The organizations that you added are displayed in the Organization table.
    Note the following information for Oracle Blockchain Platform participant and Hyperledger Fabric organizations. Even though the founder uploaded the certificate information, the added organization can’t use the ordering service to communicate on the network until it imports the founder’s ordering service settings. The founder must export its ordering service settings and give the resulting file to the joining organizations for import. See one of the following:

What's a Certificate Revocation List?

You use a certificate revocation list (CRL) to help manage the certificates throughout your network.

A CRL is a list of digital certificates that the issuing Certificate Authority (CA) has revoked before their scheduled expiration date and should no longer be trusted and used on the network. For example, you should revoke any certificates that have been lost, stolen, or compromised.

After you use the Manage Certificates functionality to revoke certificates for users, Oracle Blockchain Platform creates the CRL. To ensure that the certificates are revoked throughout the network, you’ll need to:

  • Use the Apply CRL functionality after you join peers to a channel created by another network member. Apply CRL prevents clients with revoked certificates from accessing the channel. See Apply the CRL.

View and Manage Certificates

Use the console to view and manage the user certificates in your instance and any of the certificates you imported when building the network.

  1. Go to the console and select the Network tab.
  2. In the Network tab, locate your organization’s ID and click its More Actions button. Select Manage Client Certificates.
    Note that the Certificate Summary table will be empty until you add users to your instance. Also, the administrator’s certificate doesn’t display in this table. This is to prevent you from accidentally revoking the administrator’s certificate.
    Hyperledger Fabric organizations with revoked certificates won't display in this table. In such cases, you must use the native Hyperledger Fabric CLI or SDK to import the organization's certificate revocation list (CRL) file.
    The Certificates Summary dialog is displayed and shows a list of the certificates in your instance.
  3. As needed, perform any of the following tasks:
    • Revoke certificates. See Revoke Certificates.
    • If you’ve revoked certificates and are working in a network with multiple members, then use Apply CRL after you join peers to a channel created by another network member. Apply CRL prevents clients with revoked certificates from accessing the channel. See Apply the CRL.

Revoke Certificates

An organization can revoke certificates for any of its users. To ensure that the network remains secure, you should revoke certificates in case they’re lost, stolen, or compromised.

You must be an administrator to perform this task.
  1. Go to the console and select the Network tab.
  2. In the Network tab, locate your organization’s ID and click its More Actions button. Select Manage Client Certificates.
    The Certificates Summary dialog is displayed.
  3. In the Certificates Summary dialog, locate and select the IDs of the users that you want to revoke certificates for.
  4. Click Revoke and confirm that you want to permanently revoke certificates for the selected users.
    The users with revoked certificate display in the table and are added to the CRL.
  5. If you’re working in a network with other members, then to ensure that their revoked certificates are cleaned up across the network, you must do the following:
    • If you’re working in a network with multiple members, then apply the CRL after you join peers to a channel created by another network member. Apply CRL prevents clients with revoked certificates from accessing the channel. See Apply the CRL.

Apply the CRL

If you're working in a network, then you must apply the CRL after you join peers to a channel created by another network member. Apply CRL prevents members with revoked certificates from accessing the channel.

You must do the following tasks before applying the CRL:
You must be an administrator to perform this task.
  1. Go to the console and select the Network tab.
  2. In the Network tab, locate your organization’s ID and click its More Actions button. Select Manage Client Certificates.
    The Certificates Summary dialog is displayed.
  3. Click the Apply CRL button and confirm that you want to apply the CRL.