Hyperledger fabric create private key offline

Question

what i see from the hyper-ledger fabric CA setup and user registration is that, when i enroll the user the private key is generated on the server side with certificate after which CA will sign the user will get certificate with private key. Generating user private key on server side is security issue. Is there way so i can create the private key offline and generate certificate. Correct me if i am wrong

Answer 1

The private key is generated by the client instead of the CA. When the enrollment is called by the client (either the Hyperledger Fabric SDK or the fabric-ca-client client command), it will automatically:

1. Generate the key pair of private key and public key.
2. Use the key pair to generate a certificate signing request (CSR).
3. Send the CSR, enrollment ID, enrollment secret and other attributes to the CA to enroll the secret.

The CA will then return a signed certificate to the client.

As the private key is generated and stored by the client, there is no such security issue for leaking the private key by signing the certificate online.

You may take a look at the official document of Hyperledger Fabric and the Wikipedia about PKI for the detail process of the certificate signing.