I want to overrride this section of the fabric-ca-server-config.yaml file by variables env:
csr:
cn: fabric-ca-server
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- host1.example.com
- localhost
ca:
expiry: 131400h
pathlength: 1
For example I know that:
FABRIC_CA_SERVER_CSR_CN=fabric-ca-server is equivalent to csr.cn
but
csr.names??
csr.host??
Could it be?:
FABRIC_CA_SERVER_CSR_NAMES=C:US,ST:"North Carolina",L:,O:Hyperledger,OU:Fabric
Regards
TL;DR: You can't override the CSR with env. variables, but you can customize the CSR in the config file.
Long answer:
There are two issues going on here:
1) The error you are getting states that the configuration is looking for a map (which is how it is formatted in the fabric-ca-server-config.yaml file).
To create a map in a bash script variable, you need to declare the associative array:
declare -A FABRIC_CA_SERVER_CSR_NAMES=( \
[C]="US" \
[ST]="Texas" \
[L]="" \
[O]="TangoJLabs" \
[OU]="testenvvar" \
)
export FABRIC_CA_SERVER_CSR_NAMES
echo ${FABRIC_CA_SERVER_CSR_NAMES[OU]}
2) However, environment variables can only be strings, so it does not appear possible to override the configuration CSR settings with environment variables. Something like FABRIC_CA_SERVER_CSR_NAMES_OU will not work because names: is a map, so there could be multiple OU entries.
The docs state:
If custom values for the CSR are required, you may customize the configuration file, delete the files specified by the ca.certfile and ca.keyfile configuration items, and then run the fabric-ca-server init -b admin:adminpw command again.
So, what I typically do is just create a minimal config file and copy it over to the CA container before running init. This seems to be enough (with the other sections taking default values):
registry:
maxenrollments: -1
identities:
- name: mycompany-admin-ca
pass: adminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
affiliations:
mycompany: []
csr:
cn: mycompany-ca
names:
- C: US
ST: Texas
L:
O: MyCompany
OU: client
hosts:
- mycompany-ca
ca:
expiry: 131400h
pathlength: 1
For some reason, if you include a custom fabric-ca-server-config.yaml file but exclude the registry: section, it does not register a bootstrap user, even if you use the command line -b option. So, if you include that registry: section, you therefore don't need the -b option when you run init.
You might also want to include the ca: section since you can force the created certificate to be saved to your custom name:
ca:
name: mycompany-ca
keyfile: /etc/hyperledger/fabric-ca-server/mycompany-ca-cert.key
certfile: /etc/hyperledger/fabric-ca-server/mycompany-ca-cert.pem
chainfile:
Also, before running init I would clean up your home directory - sometimes the default ca-cert.pem (and key) already exist and are not replaced:
rm $FABRIC_CA_SERVER_HOME/ca-cert.pem
rm -R $FABRIC_CA_SERVER_HOME/msp
Of course, after running init your key will be saved in the msp directory tree under:
msp
└── keystore
├── {...}_sk
I typically move it to the home directory and rename it for convenience:
cp $FABRIC_CA_SERVER_HOME/msp/keystore/*_sk $FABRIC_CA_SERVER_HOME/mycompany-ca-cert.key