 Alright, okay. So a small introduction. So my name is Pavan and currently I'm working as a blockchain lead at the paramount. So currently I'm responsible for converting the functional functional requirement into a technical spec. So, what are the different kind of certificates we have. So it's not kind of certificate but it's just we segregated these different certificate like enrollment and the TLS. So what exactly the difference between them when when we create any kind of network first step is we require the certificates. So first certificate is the enrollment second is the TLS. What is the purpose of each of them enrollment or sometimes we call them as a digital certificate we use for the signing the transaction. So let's consider in terms of the peer peer in those the transaction right so for creating the endorsement we require the certificate so each peer should have publicly private key and the certificate. So those are the enrollment certificate even for installing new user as well in the fabric. We require certificate. So generally we create first there is some procedure for registration second one is the involvement. So in the registration and involvement in the involvement process internally we get this involvement certificate and second one is the TLS certificate. So this TLS certificate is used for transport layer security to make it secure communication between the different kind of parties. So, let's see the configuration file of the certificate authority. So first step in the fabric network is creating the certificate authority because without certificate authority we cannot have any kind of network because certificate authority is responsible for creating the certificate for all the participants in the network. So let's consider we have three organization network. So in this repo I have three organization network and each organization have one peer that is endorsing peer three order in the order organization and each organization has dedicated certificate authority. So this is the configuration file for the certificate authority you can see here default is the digital signature that is the enrollment certificate generally get created and this is the expiry 8 7 6 0 in the RS it means one year. So default expiry for the enrollment certificate is the one year. And another one is the there are two profiles TLS and the CA this profile is used for in rolling the service. So I mean creating the certificate for the certificate intermediate certificate authority by default is having 43 800 hours it means it's a five years. So whatever the intermediate certificate authority certificate how they will have expiry of five years default. And next stage is the TLS certificate come let's just let me know in case if you're not able to see my phone or if you want to increase it maybe I will just maybe you can increase it. Yeah. No it's good. Okay, cool. Okay so this is the section actually this TLS section and this is the digital signature. Yeah digital signature is the enrollment certificate generally called digital certificate as well. So, using this configuration whenever we're in rolling any kind of user by default expiry time is one year and even for the TLS certificate. So there is a possibility that we can have a separate intermediate CA so in the intermediate CL so we will have this kind of configuration and so we will have this this expiry time so it's a totally customizable it depends on you. But it is recommended to have one, sorry one years by default. And before the expiration of the certificate you, you have to enroll the certificate so you have to re enroll the certificate and make it renew. If we miss that then there is a really complex procedure to just rotate the certificate. So, in this session we are going to see both of the approaches. In case if you want to renew the certificate before the expiration or somehow the production network is got expired and you want to just recover the network from the last point only. Because once the certificate got expired we cannot invoke any kind of transactions, it will give us an error because these are both of the certificate got expired that is the digital certificate and the TLS certificate. This is the section which is responsible for creating that one year expiry. Okay, so let's come to the next part. What is the procedure for creating the certificate first. So you can see admin of the organization that is the certificate authority admin is responsible for registering the new user or any kind of participant in with the certificate authority. This is the certificate authority for that organization. So let's consider we're talking about organization one. So organization one admin will create a registration request and let him know I want to register this user ABC is the user. So in the registration process, either admin can pass one secret or if he's not passing then certificate authority default. I mean return one secret actually just randomly generated key every times when we're registering it it will get generally generated and return to the admin. So using this secret what admin does this admin of the organization, he just passes secret to the end user. The end user responsibility to create the public and the private key and using the CSR the using the CSR and the enrollment ID. He can create a certificate signing request and send again to the same certificate authority again certificate authority create the certificate for this user again there are some validations, of course, and this certificate authority send the certificate back to the user. So this is the process where this end user get the certificate. It doesn't matter if it is the PR or order or any other because there are four node organization unit in our hyperlabel fabric. First one is the order. Second one is the peer. Third one is the client. And another one is there. Okay, so this is the process for creating the certificate. So how exactly certificate authority knows and how it get generally get created. So let's see the flow. First, you can see whenever end user send the CSR to the certificate authority certificate authority just collect the information from the CSR. Let's consider this is the user having this information. The CSR generally this user will send only the private key. Sorry, sorry, it's it's send only public key because private keys are always confidential no one should share with each other. So in the CSR, generally, this user send the public key and the certificate authority information so in this above section you can see this what certificate authority does he just create a hash of this above information. And include this hash with the certificate authorities private key it's own private key and put it as a digital signature at the bottom of the certificate. So this is the certificate creation process. Now, the certificate if we have if I have the certificate and how I can validate if this is the authentic certificate or not, I can do the same procedure here, I can just get the hash of the above information okay. Yes, we got this hash. And again, in this in this information we have certificate authority public as well see information using that public key I can just decrypt this digital signature and I will get one hash if these both hashes are equal. It means that certificate is valid, and it's not a tempered. And if we trust this certificate authority public key it means the certificate is valid. So this is a procedure. It's not only in the hyperlager fabric but everywhere it get applied even in the CTPS proto all right. Exactly same procedure happens in the browser we will have the certificate authority list already authentic certificate authority. He just valid it against that. This is a procedure. Let's talk about a network topology so what kind of network topology we're going to have in this session. So, in this session we so in the repo I'm using right now I'm having three peer organization. This is organization one organization two and organization three these are the peer organization. Each organization how it's one endorsing peer peer zero is the endorsing peer for organization one peer zero is for organization two and respectively organization three. And if it is the endorsing pair then we have to have the smart contract right so it have the laser and the smart contract in these peer and all the organization have the dedicated certificate authority organization one how we have two three and finally in the order organization as well we have three order and one certificate authority. So this is the network topology we are going to use. Okay, so, okay, so first, first step, how to create a network so you might be already aware like how we can create the hyperlager fabric network on the scratch. First of all, we have to have the certificate authority for all the organizations using the certificate authority, we will create the crypto material for the only participant in the organization in the respective see a once we have the created crypto materials using this crypto material, we can create the channel artifact like Genesis block or channel or transaction file. Once we have the channel channel artifacts, we can run all the services which are the peers, orderers cows DB in case if we're using the currency database as the cows DB and using we have to run the services. So after running the services we have to create the channel. Once we create the channel we can deploy the chain code. After deploying the chain code what are the business logic we have we have we can invoke the transactions query the transactions, and in this way, our network will be up and running so if we can just verify all the steps. Once we have this running network, what is the next step. Let's consider by default expiration time for the certificate is one year and somehow you are about to reach that expiration so what is the procedure to just renew the certificate because for the peer and the order we have to renew the certificate otherwise our network will be we will face any kind of errors some kind of errors expiration. And even in the transaction flow as well in dosing peer won't be able to endorse any kind of transaction because the certificates are expire. So what is the steps, what are the different steps involved to just renew the certificate first one. So let's consider our certificates are not yet expired it's about to expire maybe in a couple of weeks it's going to expire what how we can do you renew the certificate. First we have to create all this new certificates. So it contains again TLS and the end of enrollment certificate. So this is the first step. So how many components are there. Actually, whatever the components in the high policy fabric those who are going to expire we have to create the certificate renew the certificate for renewing the certificate we have one script. Let me show you that. Okay. So this is the script actually I have already written. So within a one hour it's not possible to this running. I mean each and every step. So I have already recorded the video on this, but yeah I will be giving you. I mean more details on the part like how we can rotate the certificate and we have to be very careful while executing each and every step. So let's consider the first organization we want to renew the certificate. So what is the procedure. So in the organization there are some entities first one is the user second is the peers. Okay, so these are the entity with certificates is going to expire. We have to enroll the certificate using this command and we will get new certificate along with the new public a private key in case if you're re-enrolling the identity then we can use the existing private key and the public key itself but generally what happens the rotation is fine but sometimes this certificate get expire as a certificate get compromised as well. So in that case we cannot re-enroll because if the private key get compromised then we have to enroll again so that we with the new public key and the private key we can just get the certificate. So using this we are getting the enrollment certificate first and later on we are creating the TLS certificate as well. So here we are just passing on TLS profile. I mean enrollment profile equal to TLS. So this will create the TLS profile for all the other organization we have exactly the same thing because as for the network topology we have one peer only in case we have multiple here. If you have multiple here then you have to do accordingly this script you have to change for organization two for organization three is the same and for the order organization we have three orders right. So in that case we have to create the enrollment certificate and the TLS certificate for all the three orders. So this is for order two and this is for order three. So this is the certificate creation and that is the first step. Now what is the next step. So what you can do so there will be some kind of downtime replacing the MSP so inside the MSP when we run this script. We get this kind of folder here. Let me just show you. Okay, a new certificate in this folder all the certificate will get created according to your network. You have to change your script as well in case you have something different like more number of organizations or more number of peers or more number of others. Okay you can see these are the certificate. So we have only one peer so let's consider for the organization three. So this is the private key and this is the certificate for this peer and which we have newly created. Okay, so this is for the peer. There is a TLS certificate as well you can see a server dot cert server dot keep and see it out. So, so using this using this script we have created enrollment certificate as well as in the TLS certificate you can just go through this script later on, but yeah this is the this is the step actually and what is the next step we have to follow we have to replace the MSP while running the certificate while running our services, we have just mapped some of the folder right so let's consider for the order. So this is order service and we have just mapped volumes for the certificates you can see MSP and the TLS both of the both of the folders we have already mapped what we have to do so this MSP folder first of all, we can just change this MSP folder. Okay, so just change or replace the MSP folder and restart the services, we have to do it for the peers, all the peers and all the orderers okay so this is the first step. Now, TLS changing the TLS certificate is not a straightforward like replacing the MSP folder. It's having some twist actually because while creating the Genesis Genesis block or channel the transaction file, we, we add those TLS certificate for the order into the those block actually configuration block so we have to do the configuration update there so you can see here. Next step is the configuration update, what are the orders we have, we can do this configuration update one order at a time only so in our case we have three orders, it means we have to do this configuration update for three times and another one thing. In case you have more number of channels right now in the fact I'm using fabric version 2.2.1, I have one system channel and one application channel, it means in both of the channels we have to do the configuration, configuration update. So for orderer one, we have to do two configuration update because I have two channels so in your case if you have maybe more than three or four channels, then you have to do that number of times for orderer one, two times. For orderer two, two times, for orderer three, two times, it means total six configuration update we require in this total flow to just make it working. So in the first section, in the, sorry, in the, in this step, configuration update, when we do the, this update, we have to restart the order once we are successfully do this configuration update. After we are done with the order one just do the same procedure for order or two, once we are done with the order or two we have to do for order three as well. Okay. Another one thing, let me show you like how exactly that script looks like like renewing the, sorry, adding the configuration update. First, let me show you. This first step is the fetching the configuration. So it's not a straightforward like just replacing the MSP of the any kind of components in the TLS, so those TLS certificates are available in the configuration block. So first step, we have to face the configuration block for that particular channel. Okay, so currently I'm doing it for the system channel you can see here. So this is the system channel. And we are fetching the configuration block. Once we get this block, we can just decode this configuration block using config tx letter tool. So, decoding in the sense like it's a portable format, we can just decode the, decode the decoded config block to the JSON file you can see the conflict or JSON let me show you the sample sample block it's I already expected. So the channel configuration block channel configuration block. It's having all the information policies and everything. And at the bottom you can see we have TLS certificate of the orderers in this section consensus type and metadata and these are the consensus centers. So in my network, we have three consensus order one, so order order two and order three. Okay, and these are the TLS certificate which we have to replace within a one request we cannot do we have some constraint. So one by one we have to do first in the system channel just replace this client TLS certificate and the server TLS certificate. Okay. So this once we are done with this year here. Okay, you can see in the we have decoded configuration block we are just replace the TLS certificate. So in the renew certificate we have created the TLS certificate for the order as well right in the order or whatever the new certificate we have created in the new certificate. We have to add that certificate. First we have to decode that certificate into I mean using base 64 we have to convert it. Once we have converted it, you can see. Okay, here. Using config takes later again we have to encode this block config.json and what are the modified configuration block. What is the modified configuration block. It is just adding this TLS certificate in the bottom section of this config.json folder here. This modified config block is nothing but just updating this section client TLS cert and the server TLS cert. You can just automate this script as well I have just. Decoding it and manually adding it. But you can, you can just automate this procedure. Once we convert this modified configuration block into protocol format. So using config takes later to we have to compute the update. Using both of the block. Okay, so this is a procedure for standard any kind of the configuration update throughout the whole fabric, generally we do this kind of configuration update only. Okay, so again decode add some kind of wrapper. And finally, we have to send this to the order. This is the configuration update. Transactions, it get added and success once we are done with this system channel. Immediately we have to do it for the application channel as well the same procedure only difference is the name of the channel. Yeah, here channel name channel name we are doing here for the my channel that is application channel. Okay, after doing do these two steps, we have to restart the order one with the latest TLS certificate because in the order. In the Docker compose file you can see we have TLS certificate as well right here. Now, before restarting we have to replace this TLS certificate as well. This is newly created and order configuration block order configuration block already have this latest TLS certificate which we have created again here as well we have to replace those certificate and just reached as the order one. So this step, we have to do it for the three times because I have three orders for each orders we have to do and another one thing in. So I have two channels see one is a system channel and another one is application channel in case you have more than one application channel then we have to do that number of times this application this configuration update. So let's consider one scenario we have one system channel and three application channel. So in that case we have to do for configuration update for one order for one order. So if we have three order then 12 times, we have to do the configuration update and another one thing make sure you are doing this very carefully, because if you're missing one step then it can spoil your whole day. Just do this exercise maybe maybe couple of times earlier on your local machines before doing on the production or maybe you can replicate that production scenario on your local machine and just try to run all the script one by one carefully. So this is the straightforward. If we don't have expired certificate expired network, but but another one thing. What if you have the expired network, which is already all the certificates are already expired because sometimes we renew the certificate after one year our network will not be up and running they will not be communicating with each other because the TL certificate are expired even digital certificates are also expired. So that is the little complex procedure compared to the previous one. Okay. So how created one YouTube video just for replicating both of the steps first one, first one is for just renewing the certificate of without expired certificate or renewing the certificate for expired certificate as well this two step. So there are some additional things we have to do for the in case of the network is expired. So once the network is expired you won't be able to win over any kind of the transactions for that. So how to add some kind of environmental variable in the order so to do the some kind of time shift. Again, the procedure is exactly same only some some of the differences are there. So let's consider your network is already expired. What is the steps first one is the creating all the certificate like that is the enrollment certificate. Second one is the TL certificate. So what do we have what do we have so in the previous section. Next one is the updating environment for the order us. So what is this, let me show you in the doctor or doctor compost file. Our network is not running then how we can do the configuration update because for doing the configuration update we require valid certificate and all right for the order. There is a hack kind of I mean maybe we can say there is a privilege this community is already made. So these are the three flags actually order general TLS TLS handshake time shift. Second is the cluster TLS handshake time shift. And third one is the order general authentication no expiration check equal to true. So let's consider your network is expired yesterday. In that case, you we have to shift our time by that particular hours it in in in this case I have done this time shift by 200 hours but it is not required in case your network is expired yesterday then we can make it like 48 hours or something and these flags are responsible for making this time shift for the TLS handshake first and another one. Generally this certificate check also happens. So it will just say to one flag that is the no expiration check, it will not check the expiration for the certificate if we're making this true. It means if we are setting these variables. We don't need to worry we can just ignore the transaction with the order because order will just not consider to change just check the expiration of the certificate. Second one is TLS handshake time shift just shift the time of that particular as whatever we're spacing here. So we we have to we have to add this three environmental variable in order and restart the ordering service. After restarting the ordering service all the three order now we can do the same steps what we have done in the previous section replacing the MSP and restarting the again other services. Next one is the configuration update for each order. Again, the procedure is almost exactly same. There is only difference. In case your network is expired the we have to add these three environmental variables in the order and we have three orders then we have to do it for the all three orders one by one. We cannot do this configuration update for all the order at the same time. So make sure you are doing only one at a time in case you have five or seven. Then then you have to do one at a time and for the system channel and application channels so whatever the order you have whatever the channel you have you can just multiply and you can get number how many times you have to do this configuration update. Okay, another this configuration updates I was talking about right this is the general, general flow, how exactly it happens first of all we have to get the configuration block from the channel that we generally get into a portable format. So that particular full block will just convert that some specific part. First we convert that into JSON format and get some configuration to JSON that some kind of wrapper will just remove it later we'll add again, extract that configuration JSON block. Next one is just modify it modify it means we are just adding the TLS certificate of the order in this. So we have to add this modified we have to again convert into the portable format because this conflict is later tool. We use this conflict is later tool to just compute the update or encode or decode. So using this portable format, we can just compute the update and finally we get updated portable format block and in in this step. This conflict this some of the portion, we have to again add that wrapper into the update, updated JSON format and finally just add into the finally convert into the portable format and and last stage we generally send this transaction to finally to the order. So this is the configuration update block, this is the configuration update flow, so generally we follow in the same style of the project. Okay, so another one thing here. Okay, so one flag is there TLS handshake time shift. So this flag you have to provide only if your network is expired and and we have to add those order time shift only if our network is already expired. If we network if we have a network with the running condition, but the certificates are going to expire within a couple of days or couple of weeks, then we don't need step we don't need this step actually. And in this script as well, we don't need to pass this flag as well TLS handshake timesheet 200 hours. Okay, this is only require if our network is expired, and we have to let the order and know that we have shifted the time actually with this particular time. Also, and it will just take that what are the variables we have provided there. This is another one change. So in this script actually I have added because I just can just rework. I just recovered the network which which was expired so I created the scenario just record a network in the, in the YouTube video I have just created a network expired the certificate and again I've done this exercise on that existing network. That's why you can see this flag here. Okay, another one thing. Just give me another one thing. You might be wondering like where we require. Private key public key for the peers and orders. So, I'm sure you guys are already aware about the transaction flow first just client create assigned the transaction proposal and send to the endorsing peer. So endorsing peer just verify this in this transaction like whether user is valid or not if he's allowed to do the transactions and all. And finally create a read set and write set and indoor the transaction endorsing the transaction is nothing but creating the signed again proposal. So for creating the signed the proposal by each endorsement we require the private key. So, we signed the transaction and you add that certificate of that peer as well. So in this step we require the peer certificate if it is get expired then we won't be able to do here here itself we can will get blocked here. So once we have the renewed renewed certificate this endorsing peers send the proposal this invocation back to the client. Again, it's clients responsibility to collect all the necessary endorsements and check using discovery service there are some. steps right the discovery service just check like if for this channel for this chain code how many endorsements are required. Did we get those are endorsements if we have endorsement policy each organization should endorse endorse the transaction. So in that case it just validate it and send this transaction proposal. That is invocation generally we call send to the order. So leader of that all again here we have one leader here. So, so the one of the order will be leader and he will create a block. After creating the block order also need to sign that block right at the end of the order we generally get one signature. So that is the order signature we can see. The order create the signed a block and send back to the leader pair of the organization. So again, it's leader peers responsibility to distribute that block to finally all the PS in the same organization and their validation takes place and finally block gate committed into the signature final okay. Before that like this is a very calm. I mean it's a little complex. So make sure your certificates are not getting expired. And I mean before the time you have to do those kind of checks and everything right. In case, if your network certificate got expired then you have to follow these all the steps. So let me show you step by step again from here. Let's assume our network is already up and running, but because of the some circumstances we couldn't renew our certificate and those certificate expired now and our network is not up and running. So in that case first step is creating the certificate. So in the repo you can see let me show you the first step is creating the certificate. So where is the script for that. So this script is responsible for creating endorsing certificate, sorry, digital certificate that is the endorsement. Second one is the TLS certificate. Sorry, it's not endorsement it's the endowment. So, first one is the endowment certificate second one is the TLS certificate. So this script is responsible for creating all the certificate. So once we have the certificate, what is the next step. Next step is restarting the services just here. Okay, you miss replacing the MSP once we have this certificate and all right in the new certificate, we have to just copy this MSP folder because in the MSP, we have public key private key. The key store is the private key actually and the public key generally we have in the certificate only let me show you and sample certificate as well. So this is one of the certificate. I just converted into readable format. So in the certificate we have this kind of information maybe I can show you directly in the web browser as well. So the certificate is secure certificate is valid how it's getting validated the same procedure what we what we just saw here certified validation. So this is the issue to Google.com organization issued by who has this is the certificate authority validity parade expire on so this is the expiration. So the certificates are going to expire. So issued on this is the issued on expiration is for July 2022. And this is the fingerprint I was talking about at the bottom of the certificate we have fingerprint is nothing but signature. So this certificate authority just converted this all the information at the top and create a hash and just encrypt that hash and finally put the digital signature at the bottom of the file and we can just get more information as well in the certificate. You can just take any kind of it's a these are the x50 and standard certificate doesn't matter like if you are using in the expiser. I mean hypolysis fabric or maybe in the STP protocol. These are the general standards actually. We replace the MSP restart the services. Once we restart all the services. Now next step is just for do the configuration update. So for the configuration update, you can see in the rotate certificate folder, there are two steps I have added step one and step two in the step one. Again, we have to do for the order one. So again, in the order one phase the configuration block from here. This is for the system channel. So we are doing the system channel in the step one we are doing the system channel for sorry application channel in the step two. So first we we just face the configuration block make necessary changes. We have to add a TLS certificate in at the bottom of the configuration file and just send this configuration update to the order. So this is a step one. For application channel as well we have to do immediately and once we done with the application channel as well we can restart order one because we are done with the order one. We have another three orders in the network right so for three orders again go to the step one do it for order two. Also, we have to exactly same step. Maybe I would recommend to just do this step by step and just verify if everything is working fine. And once you have confidence like your confidence, it's working fine, then you can just execute this step in one go as well. There is another one, one thing I want to mention here. I was just converting this TLS certificate and pasting into the modified configuration. So make sure you can just do some kind of automation using jq tool. So I was using your jq tool as well, but it was a little easy for me to just copy and paste. So that's why I did that, but you can make that automation. You can just create a pool request to this repo as well I would be happy to just merge it. So these are the steps for the order to again, we are doing this for the system channel for application channel as well, we have to do the same steps here. And finally, once we are done with this, just restart the order to us. And you can just check the orders are communicating with each other because they generally meant create the leaders among them right. Even though we are doing this configuration update, they will be able to communicate with each other after updation. Just make sure replace the TLS and restart the order after doing this step only first do it for the system channel and do it later on all the application channel we have. So these are the different steps involved in the configuration update and the certificate rotation. Another one thing we didn't talk about the users right so I have one API folder here and in the API folder. So generally we register the new users as well. Again, when we are registering the new user, that's fine. We knew you user get registered first and then the certificate get created and finally stored into the wallet. But what what if we have already existing user and those certificate got expired. So there is another one thing in the registration process you can see this is the responsibility of the admin of the organization. In the app 2.0 app helper.js is the file and inside this we are doing the registration and endowment. So admin of the organization because for registration process we recall admin organization object like its confidential data. So admin will just register the certificate register to create a registration request to the certificate authority here we can see it's passing the enrollment ID and he's not passing any kind of secret. So generally the certificate authority return on secret here. So we have to store the secret somewhere so that next time if we want to re-enroll or enroll, enroll the user then this secret is required actually to re-enroll the user. So in the in the API side make sure to store the secret. As per my understanding we have to store this secret and reuse them in the enrollment process again. So right now we are not storing here, but using the secret. Actually user can just initiate this CA dot enroll because in this in this method the CSR get created and finally sent to the certificate authority and publicly private key are also getting created in this step only. And finally we get this enrollment object. So enrollment object will have the certificate and the private key we are putting into the wallet. If we're storing this secret, it means even though our certificate got expired, we can renew it just by exposing one more script here just for the renewal. So this is the steps we have to make sure to have it. In the certificate authority configuration file, you can just tweak little bit with this expiration time in case if you want to reproduce at the local machine. So let's consider you can just make this 24 hours. Okay, just make this 24 hours and create a network on the next day on your network will be expired and you can just follow this step. Make sure you're doing exactly the same. Whatever the recommended safe here we have another one thing you can do some time shift as well. Okay, in the time shift is it's not recommended but just kind of had to make this exercise working on your local machine. You can just ship the time of your machine back and do the procedure actually if you're doing the time shift in our network will be up and running because let's consider our network got expired yesterday. And we are doing the time shift by 48 hours it means our time will have date of two days before right so in that case on network will be up and running only because the time on our machine is different but generally it's not a recommended because because our this production network get deployed on some some on virtual machines or maybe Kubernetes or the some but procedure is exactly same like whether your network is on the local machine or maybe in the single machine some network or maybe the Kubernetes. So these are the steps we have to make sure to follow in the certificate rotation. So in case if you have any kind of the doubt maybe we can discuss on that part. Hi, Kamilish. Thanks for the setting. And I have a few doubts. Yeah, please. Actually, the Fabrics.ly server config.yaml file by default the CA certificate has five years expiry and the peer and order TLS certificate has one year expiry. Once the network is expired if we want to renew the certificate for the peers and the TLS for five years means then what we have to do. Yes, I mean this is the intermediate for the intermediate certificate authority. If you're not using then that's fine. But in case just correct me if I'm wrong if I understand the correctly your question. So you want to ask like how to renew the certificate for the certificate authority or TLS certificate right. Okay, now for TLS and endurance certificate. Okay, okay. For the certificate authority or for peer and order you are asking for enrollment certificate and the TLS certificate, the digital signature and the peer. Yeah, but for the peers or order or maybe users to whom you are peers and orders. Okay, okay. Yeah, I mean, this is the state. This is the discussion whatever we have right now. Yes. So, so we, we are doing this in the renewing of the certificate for this certificate only like digital certificate first and the TLS only. Okay, okay the script we have already here. And first we are just renewing the digital certificate and later on the TLS certificate. Yeah, we are doing that but we can but in the explanation how it is for one year right, we can update that with some five years to 10 years. Yeah, okay, okay, okay. Yeah, I got it. See, yeah, we can do that. We can do whatever we I mean whatever the expert you want to say it here just make so in the certificate authority, the configuration file, you have to change this and just restart the certificate authority. Okay, after that, whatever the enrollment you are doing, it will pick this expiration. So in case you have made it 10 years, then what are the new certificate you are creating digital certificate, it will have the expiry of by default 10 years. Okay, yeah, in this section we can restart the server. Yeah, yeah, of course yeah for making it reflected immediately. Okay, then if the root CA certificate got experiments. Okay, that is the CA certificate. Okay, by default, by default CA certificate CA certificate how expiry of 10 years by default. And we can renew the renewing the same way as well. See, I mean when we create the certificate authority right, he just create the public key private key and self sign the certificate. In the same way we can renew the certificate for certificate authority as well. I mean just it is just a standard procedure for renewing the certificate doesn't matter if it is the peer certificate order certificate or CA certificate. Then my next question is in the conflict block that that is when you're fetching the block from the channel right. You mentioned to update the order the LS certificate right. Yes, yes, this one. I also did that I'm able to perform in work and free this working but when I in that renew network. When I try to create a new channel or when I try to add a new organization, it shows me the error like organization admin certificate is not valid. In this channel conflict, it also contains the odds at himself. If you scroll up means you can see each organization admin certificate is there. Yeah, yeah, yeah. So you're adding a new organization in the existing network right. Yeah. Okay, so for adding a new organization, the procedure is a little different. It is different that I know but in this conflict file also we have the each organization admin certificate. Before you updated the order PLS certificate right. No, this is the certified. Okay, this is the certificate of the certified authority not the other any I mean peer or order it's having the default 10 years of expiry. No CS it and also it also contains the admin sir. Where is it. In the first one. This one. Yeah, that is no, no, no, no, no, no, no, no, no, no, this is not admin certificate is a node organization unit is admin. Which means see you are mentioning see admin set. Yeah, certified. Okay, sorry. This peer or this peer organization unit identifier is here right. Yeah, I think the organization. See I mean what happens see that we have four organization node organization unit admin client order and peer what it's specifying is this is the certificate authority certificate. So it's specifying. If the certificate is created by the certificate authority and the node organization unit is the admin then that certificate is the valid. So the certificate of the certificate authority it's having by default 10 years of expiry. So these are all the certificates you can see exactly same are they right. It's not saying if you read in some other open SSMS you can find these are not same. No, no, exactly same are there I'm sure on that. Because in the node organization unit. Let me show you where is that. Okay, this is the certificate we generally add. Okay, in the config.config.yaml file and this is the node organization unit get added. So here, we're using the exactly same certificate that is the certificate authority certificate CSR localhost 9054 C order.com for all the node organization unit. 123 and four exactly same certificate we're using it means we're saying use this certificate authority certificate and whatever the node organization units are there. So if let's consider I am the certificate authority and my certificate is this one, what are the certificate I am signing and it's having node organization unit as one of them like client peer admin and order. So allow them to do just do the interaction with the network. If we are other than this node organization unit then the certificate will not be valid. We have the node organization unit client but the certificate is not signed by the certified authority. It means that certificate is also not valid. Just just you can verify it. These are the exactly same certificate and these are the certified authority certificate. Which means, now you can in this radio network you can create a channel and you can add an organization. So, yeah, and this validation doesn't take place here. I mean, using this organization admin. See, this is the certificate right certificate of the certificate authority. What are the admin. What are the admin we have certificate so those certified get used for invocation. So the certificate whose node organization uses that unit is the admin, they can just add a new organization depending on the policy we have the by default I think the majority. It means in the three organization we require to organization signature to admins of the organization to just invoke the transaction successfully. Did you get it. Yeah, I got it but in then I fetch the conflict file in my file I got a different certificate in this. Then then you have to make sure like in the configuration. How you're creating the certificate just make sure like how we are creating this conflict.yml file because it gets stored in the MSP and it will go to the node organization unit only. Okay. My next question is this no expiration check flag is right. This is used for order. Only order. Only order. Because let's consider our network is already expired. We have to interact with the order only not the peer or something right to make that update. Since TLS certificate gate added into the configuration block and the country order only how the configuration block right I mean we can do the update and they have some privilege. So we have to update here only. So we that's why we have only flag for the order. My next question is like for everything we are using TLS certificate for in book transaction or very transaction for that. Then for channel creation and all addition ban we are going to use the admin certificate that is like. So, see, these are these are the different things. The first one is the TLS TLS is nothing but the transport layer security and what are the communication they are having the between this party that should be confidential right. If someone have intercepted that request they can just take the data in inside that. So for that purpose we have this TLS in the even though in the STTP you can see here. This communication happening between this server and this browser. It's secure because this is the, this is using the this valid certificate first and generally you know this procedure how it happens. The browser first create. So just hit that domain. So that whatever the domain is there he just written on certificate after the certificate. He just browser is valid at that certificate if that's a valid because browser have valid certificate authority and he create a random phrase, a random generated key and public public is available in the certificate using that public key that randomly generated key will get encrypted and finally send back to the server. Server again validate if server can decrypt because server have the private key. So server just decrypt that request and just get the random randomly generated key. So at that time browser and the server only have that randomly generated key. After that, they can communicate with each other using that randomly generated key using encryption right. So, this is the generally communication happens, but in the peer to peer communication, we have to have the exactly same approach. So these TLS TLS certificate are used for having the secure communication. So why we're using admin certificate for creating the channel. So any kind of invocation, or any kind of query we generally use the you find certificate, it could be admin or it could be a user as well right. So, as per the policy who can you know the transaction or who can query the transaction he defined in the policies in the configuration block. So for that, even though I have admin certificate but my set my certificates are not signed by the certificate authority. Then I am, even though the certificate is valid. I won't be able to interact with the network right because the certificates are not valid and not not authorized by that particular certificate authority. So these are little different things TLS is used for just having the secure communication and admin or client certificate are used to do some particular operation depending on the policy we define in the configuration block. In the channel creation as well you can see. Okay, let me just check here. Okay channel creation. We are just sending this. Yeah here in the channel creation. We are setting the global for the organization one where we're using the admin admin user here. That is MSP because for creating the channel we require admin certificate. Okay. Another important thing for having the communication with this order we cannot have communication with order without TLS certificate that's why we provide the TLS certificate for that order to have this what are the channel creation process secure. Got it. Yeah. Any other question. Guys any other question. You can ask me I mean anything like not only on this rotation or something if you're confused with. Anything. Then we are almost done with the time. Yeah okay so any more questions from anyone. So anyway this is recorded and it will be published on Hyperledger YouTube. Yeah, one more thing see I mean I have done this practical demo multiple times and I recorded a clear session as well you can see on the screen. You can see that rotation or renewal for record to our record the expert network with this different kind of script so I have just recorded one hour section so instead this everything is clear even there is one medium article as well. You can just go through it and just try to explain everything here. Yeah, even I shared this medium and YouTube getter in a meetup event or you every phone you can say it here also and also you can say you are good to be positive. Okay, yeah okay so in this YouTube description you know so we have everything like GitHub repo postman collections and everything I'm just sending it in the chat as well. So I think on then it's. Yeah good close and then I will share this recording or the Hyperledger.