How to start a Hyperledger Fabric certificate authority

Starting a Hyperledger Fabric CA server creates the enrollment service that issues MSP certificates for Fabric admins, users, peers, and orderers. A local CA is useful when building an organization MSP or preparing a test network that needs identities generated from a registrar instead of static sample material.

The server home controls where Fabric CA writes fabric-ca-server-config.yaml, ca-cert.pem, and its identity database. Running fabric-ca-server start with -b supplies the bootstrap registrar when LDAP is not enabled, and the first start initializes missing CA files before opening the enrollment listener on port 7054.

Using separate server and admin client homes under ~/fabric-ca keeps generated CA files apart from later peer or orderer MSPs. The default HTTP listener is only appropriate for a local lab or other isolated host; enable TLS and replace admin:adminpw before any shared Fabric CA is exposed.

Related: How to install Hyperledger Fabric on Ubuntu or Debian
Related: How to install Hyperledger Fabric on macOS
Related: How to register and enroll a Hyperledger Fabric identity

Steps to start a Hyperledger Fabric certificate authority:

  1. Create separate homes for the CA server and bootstrap admin client. 
    $ mkdir -p "$HOME/fabric-ca/server" "$HOME/fabric-ca/clients/admin"
  2. Start the Fabric CA server in a dedicated terminal. 
    $ FABRIC_CA_SERVER_HOME=$HOME/fabric-ca/server fabric-ca-server start -b admin:adminpw
2026/06/20 21:20:45 [INFO] Created default configuration file at /home/fabric/fabric-ca/server/fabric-ca-server-config.yaml
2026/06/20 21:20:45 [INFO] Operation Server Listening on 127.0.0.1:9443
2026/06/20 21:20:45 [INFO] Listening on http://0.0.0.0:7054

    The bootstrap secret appears in shell history and process arguments. Use a temporary lab secret only for local validation, and enable TLS before exposing port 7054.
    Related: How to enable TLS for Hyperledger Fabric peer and orderer nodes

  3. Confirm the generated server files from another terminal. 
    $ ls "$HOME/fabric-ca/server"
IssuerPublicKey
IssuerRevocationPublicKey
ca-cert.pem
fabric-ca-server-config.yaml
fabric-ca-server.db

    fabric-ca-server-config.yaml is the file to review before changing the CA name, database, affiliations, registry limits, TLS, or operations settings.

  4. Enroll the bootstrap admin from the second terminal. 
    $ FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
2026/06/20 21:20:46 [INFO] Created a default configuration file at /home/fabric/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2026/06/20 21:20:46 [INFO] generating key: &{A:ecdsa S:256}
2026/06/20 21:20:46 [INFO] encoded CSR
2026/06/20 21:20:46 [INFO] Stored client certificate at /home/fabric/fabric-ca/clients/admin/msp/signcerts/cert.pem
2026/06/20 21:20:46 [INFO] Stored root CA certificate at /home/fabric/fabric-ca/clients/admin/msp/cacerts/localhost-7054.pem
2026/06/20 21:20:46 [INFO] Stored Issuer public key at /home/fabric/fabric-ca/clients/admin/msp/IssuerPublicKey
2026/06/20 21:20:46 [INFO] Stored Issuer revocation public key at /home/fabric/fabric-ca/clients/admin/msp/IssuerRevocationPublicKey

    The enrollment URL must match the bootstrap ID and secret from the server start command. If TLS is enabled, use an https URL and the CA trust file required by the client.

  5. Check the bootstrap admin MSP directory. 
    $ ls "$HOME/fabric-ca/clients/admin/msp"
IssuerPublicKey
IssuerRevocationPublicKey
cacerts
keystore
signcerts

    The signcerts and keystore directories are the admin identity material used by later fabric-ca-client register requests.
    Related: How to register and enroll a Hyperledger Fabric identity