Page tree
Skip to end of metadata
Go to start of metadata


Reviewed the Vault Transit Engine for signing Fabric transactions.  Vault keeps the private key internally for users. 

The Vault Transit engine provides a numeric token to the user, and node.js uses the token to access Vault services, such as signing a CSR.

The steps for using Vault Transit with Fabric are:

  1. A new X509Provider is set up in Fabric.  
  2. A private key is created in Vault Transit Engine
  3. Vault generates a CSR
  4. Fabric enrolls user with the CSR from Vault
  5. A X509 certificate is then stored in the filesystem for Fabric to use
  6. Requests are signed with the X509 certificate

Reviewed the Chrome extension for signing Fabric requests, but it in fact goes to the Fabric server for security credentials, so it does not do client side security.  It is just UI that we could use later.

Our plan at this point is:

  1. In Fabric, support taking a CSR, registering a user with it, and signing requests with the X509 certificate from the CSR
  2. Support CSR's from Vault Transit Engine, command line example, or a client app which is responsible for private keys and then provides CSR for them to Fabric.

Pritam Singhwill work on creating a pull request for Fabri for some of his changes and then modifying the typescript app to accept identities.

Bertrand Riouxwill work on changes to the typescript app to enroll user and then clients to connect to the typescript app to sign Fabric requests while keeping private keys offline.



Hyperledger is committed to creating a safe and welcoming

community for all. For more information

please visit the Hyperledger Code of Conduct.


Dial-In Information:  [ZOOM]

You can join either from your computer or from your phone:

  • No labels


  1. Pritam Singh Bertrand RiouxGood call today.  Our next step should be to show a sequence which looks like a real application, putting a lot of the manual configuration steps into typescript api calls.  I think it should work like this:

    For the Vault Transit Engine HSM:

    1. Vault creates a new user with their private key
    2. Get a Vault token for the admin
    3. Use the admin user's token to register the new user's CSR as an X509 certificate in Fabric
    4. Get a Vault token for the new user
    5. Sign a request from new user to Fabric 

    For the offline signing, it should support similar steps but imagine a programmatic execution, ie an iot device which is sending data to Fabric:

    1. From command line, generate a CSR for the new user
    2. Register the new user in Fabric
    3. Sign request from new user to Fabric

    Does this look correct?

  2. Yes Si Chen sounds good . Will share full sequence diagram for Vault Transit in this thread.  

    1. Thanks Pritam Singh
      I suggest using to create UML sequence diagrams. It would be great to create a new directory `utility-emissions-channel/docs` to publish all the sequence diagrams. It's always a good practice to have the documentation close to the code.

  3.  Si Chen Robin Klemens Bertrand Rioux Peter Somogyvari Kamlesh Nagware

    I have created a README containing sequence diagram explaining vault and client side signing approach . Please have a look at it and do suggest some improvements .

    Here :

    1. Pritam SinghWhy does it say "internally data will be sent to Vault for signing" and "internally data will be sent to client's extension...for signing"?

      Does each transaction need to be signed by the client or by the vault?

      If so what are the exact steps for Vault to sign?

      1. sorry about wording. `internally` means `fabric-sdk-node` package will use sign() function internally to send msg either to vault or client-extension for signing. Instead writing that note I can also show how `fabric-sdk-node` will sign msg by making use of vault or client extension. But this will make the diagram more technical.

        BTW : I have opened a PR to `fabric-sdk-node` :

        1. That's fine.  Then what happens with Vault?  Does the user have to sign each transaction?  If so, how?

          1. Included interaction with vault also.

            NOTE : terms used for the internal operation might not match with actual terminology used in fabric community. This is just for explaining how vault will be used internally  

            1. So each time you contact Vault for a signature, are you using the token Vault has issued at the beginning?  Would the user enter the token each time, or would the node application store it during the session?

  4. No, user have to pass the token only once (during a API is called) and for each interaction with vault, node process will use the passed token.