Experimental use of cert-manager.io to issue node TLS certificates

Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com>
2026-06-23 01:55:10 +00:00 · 2022-01-19 18:04:47 -05:00 · 2022-01-19 18:04:47 -05:00 · 5b7edf264e
commit 5b7edf264e
parent 3457690148
21 changed files with 420 additions and 81 deletions
--- a/test-network-k8s/kube/org0/org0-ecert-ca-tls-cert.yaml
+++ b/test-network-k8s/kube/org0/org0-ecert-ca-tls-cert.yaml
@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org0-ecert-ca-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org0-ecert-ca
+    - org0-ecert-ca.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org0-ecert-ca-tls-cert
+  issuerRef:
+    name: org0-tls-cert-issuer
--- a/test-network-k8s/kube/org0/org0-ecert-ca.yaml
+++ b/test-network-k8s/kube/org0/org0-ecert-ca.yaml
@ -30,9 +30,9 @@ spec:
            - name: FABRIC_CA_SERVER_HOME
              value: "/var/hyperledger/fabric-ca-server"
            - name: FABRIC_CA_SERVER_TLS_CERTFILE
-              value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem"
+              value: "/var/hyperledger/fabric-ca-server/tls/tls.crt"
            - name: FABRIC_CA_SERVER_TLS_KEYFILE
-              value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem"
+              value: "/var/hyperledger/fabric-ca-server/tls/tls.key"
            - name: FABRIC_CA_CLIENT_HOME
              value: "/var/hyperledger/fabric-ca-client"
          ports:
@ -43,6 +43,9 @@ spec:
            - name: fabric-config
              mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
              subPath: fabric-ecert-ca-server-config.yaml
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
          readinessProbe:
            tcpSocket:
              port: 443
@ -55,6 +58,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org0-config
+        - name: tls-cert-volume
+          secret:
+            secretName: org0-ecert-ca-tls-cert

 ---
 apiVersion: v1
--- a/test-network-k8s/kube/org0/org0-orderer1.yaml
+++ b/test-network-k8s/kube/org0/org0-orderer1.yaml
@ -3,6 +3,28 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org0-orderer1-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org0-orderer1
+    - org0-orderer1.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org0-orderer1-tls-cert
+  issuerRef:
+    name: org0-tls-cert-issuer
+
 ---
 apiVersion: v1
 kind: ConfigMap
@ -16,9 +38,9 @@ data:
  ORDERER_GENERAL_LOCALMSPID: OrdererMSP
  ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp
  ORDERER_GENERAL_TLS_ENABLED: "true"
-  ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/signcerts/cert.pem
-  ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/cacerts/org0-tls-ca.pem
-  ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key
+  ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric-ca-server/tls/tls.crt
+  ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric-ca-server/tls/ca.crt
+  ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric-ca-server/tls/tls.key
  ORDERER_GENERAL_BOOTSTRAPMETHOD: none
  ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer1
  ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal
@ -57,6 +79,9 @@ spec:
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric/config
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
@ -64,7 +89,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org0-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org0-orderer1-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org0/org0-orderer2.yaml
+++ b/test-network-k8s/kube/org0/org0-orderer2.yaml
@ -3,6 +3,27 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org0-orderer2-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org0-orderer2
+    - org0-orderer2.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org0-orderer2-tls-cert
+  issuerRef:
+    name: org0-tls-cert-issuer
+
 ---
 apiVersion: v1
 kind: ConfigMap
@ -16,9 +37,9 @@ data:
  ORDERER_GENERAL_LOCALMSPID: OrdererMSP
  ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp
  ORDERER_GENERAL_TLS_ENABLED: "true"
-  ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/signcerts/cert.pem
-  ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/cacerts/org0-tls-ca.pem
-  ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key
+  ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric-ca-server/tls/tls.crt
+  ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric-ca-server/tls/ca.crt
+  ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric-ca-server/tls/tls.key
  ORDERER_GENERAL_BOOTSTRAPMETHOD: none
  ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer2
  ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal
@ -57,6 +78,9 @@ spec:
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric/config
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
@ -64,7 +88,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org0-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org0-orderer1-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org0/org0-orderer3.yaml
+++ b/test-network-k8s/kube/org0/org0-orderer3.yaml
@ -3,6 +3,27 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org0-orderer3-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org0-orderer3
+    - org0-orderer3.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org0-orderer3-tls-cert
+  issuerRef:
+    name: org0-tls-cert-issuer
+    
 ---
 apiVersion: v1
 kind: ConfigMap
@ -16,9 +37,9 @@ data:
  ORDERER_GENERAL_LOCALMSPID: OrdererMSP
  ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp
  ORDERER_GENERAL_TLS_ENABLED: "true"
-  ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/signcerts/cert.pem
-  ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/cacerts/org0-tls-ca.pem
-  ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key
+  ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric-ca-server/tls/tls.crt
+  ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric-ca-server/tls/ca.crt
+  ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric-ca-server/tls/tls.key
  ORDERER_GENERAL_BOOTSTRAPMETHOD: none
  ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer3
  ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal
@ -57,6 +78,9 @@ spec:
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric/config
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
@ -64,7 +88,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org0-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org0-orderer2-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org0/org0-tls-cert-issuer-secret.yaml
+++ b/test-network-k8s/kube/org0/org0-tls-cert-issuer-secret.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: org0-tls-cert-issuer-secret
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNLRENDQWM2Z0F3SUJBZ0lVS051d2FFOVdNTmx6cXorSG5JVDVUa1VxTnJNd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEl5TURFeE9ERTRNRGt3TUZvWERUTTNNREV4TkRFNE1Ea3dNRm93YURFTE1Ba0cKQTFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5CmRtVnlNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUV6dlB6YXh5Y2RaeFpFem00TFl1VVlLRm8KS3hKRlNtWkdRR1JmNE5GOXMxc2ZpcURwODlmSlV0aGNUSTlpSkQ1VEVSbTVjeEE0QTMwNHJCL2dwck5vaHFOVwpNRlF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3SFFZRFZSME9CQllFCkZDWG5ZYUJxR0p1V3lGcEcrdi9yb0N3QmhKbG5NQThHQTFVZEVRUUlNQWFIQkg4QUFBRXdDZ1lJS29aSXpqMEUKQXdJRFNBQXdSUUloQUxzbnJtYmlhdDlrdzJua3FLbVJqVG1LVGNVNURFYXBtb2JmdUVWYndUWEdBaUFRb3JlTQpSOHVDWHVKMTNnUVc1aXEwbzdPOW00cEZOOVRkeEtwb2xmN1BQdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ2ZDM21WUDVnWGtMa0M0UDAKbGoyZVVXVmQ4QVVjVVhKZnBiU2tWYUw4a2s2aFJBTkNBQVRPOC9OckhKeDFuRmtUT2JndGk1UmdvV2dyRWtWSwpaa1pBWkYvZzBYMnpXeCtLb09uejE4bFMyRnhNajJJa1BsTVJHYmx6RURnRGZUaXNIK0NtczJpRwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
--- a/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml
+++ b/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml
@ -0,0 +1,13 @@
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: org0-tls-cert-issuer
+spec:
+  ca:
+    secretName: org0-tls-cert-issuer-secret
--- a/test-network-k8s/kube/org1/org1-ecert-ca-tls-cert.yaml
+++ b/test-network-k8s/kube/org1/org1-ecert-ca-tls-cert.yaml
@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org1-ecert-ca-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org1-ecert-ca
+    - org1-ecert-ca.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org1-ecert-ca-tls-cert
+  issuerRef:
+    name: org1-tls-cert-issuer
--- a/test-network-k8s/kube/org1/org1-ecert-ca.yaml
+++ b/test-network-k8s/kube/org1/org1-ecert-ca.yaml
@ -30,9 +30,9 @@ spec:
            - name: FABRIC_CA_SERVER_HOME
              value: "/var/hyperledger/fabric-ca-server"
            - name: FABRIC_CA_SERVER_TLS_CERTFILE
-              value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem"
+              value: "/var/hyperledger/fabric-ca-server/tls/tls.crt"
            - name: FABRIC_CA_SERVER_TLS_KEYFILE
-              value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem"
+              value: "/var/hyperledger/fabric-ca-server/tls/tls.key"
            - name: FABRIC_CA_CLIENT_HOME
              value: "/var/hyperledger/fabric-ca-client"
          ports:
@ -43,6 +43,9 @@ spec:
            - name: fabric-config
              mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
              subPath: fabric-ecert-ca-server-config.yaml
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
          readinessProbe:
            tcpSocket:
              port: 443
@ -55,7 +58,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org1-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org1-ecert-ca-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org1/org1-peer1.yaml
+++ b/test-network-k8s/kube/org1/org1-peer1.yaml
@ -3,6 +3,27 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org1-peer1-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org1-peer1
+    - org1-peer1.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org1-peer1-tls-cert
+  issuerRef:
+    name: org1-tls-cert-issuer
+
 ---
 apiVersion: v1
 kind: ConfigMap
@ -12,9 +33,9 @@ data:
  FABRIC_CFG_PATH: /var/hyperledger/fabric/config
  FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info"
  CORE_PEER_TLS_ENABLED: "true"
-  CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/signcerts/cert.pem
-  CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/server.key
-  CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/cacerts/org1-tls-ca.pem
+  CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric-ca-server/tls/tls.crt
+  CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric-ca-server/tls/tls.key
+  CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric-ca-server/tls/ca.crt
  CORE_PEER_ID: org1-peer1.org1.example.com
  CORE_PEER_ADDRESS: org1-peer1:7051
  CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
@ -29,6 +50,7 @@ data:
  CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer1.org1.example.com
  CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer1.org1.example.com/snapshots
  CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org1peer1\"}"
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@ -61,6 +83,9 @@ spec:
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric/config
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
@ -68,7 +93,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org1-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org1-peer1-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org1/org1-peer2.yaml
+++ b/test-network-k8s/kube/org1/org1-peer2.yaml
@ -3,6 +3,28 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org1-peer2-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org1-peer2
+    - org1-peer2.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org1-peer2-tls-cert
+  issuerRef:
+    name: org1-tls-cert-issuer
+
+
 ---
 apiVersion: v1
 kind: ConfigMap
@ -12,9 +34,9 @@ data:
  FABRIC_CFG_PATH: /var/hyperledger/fabric/config
  FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info"
  CORE_PEER_TLS_ENABLED: "true"
-  CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/signcerts/cert.pem
-  CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/server.key
-  CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/cacerts/org1-tls-ca.pem
+  CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric-ca-server/tls/tls.crt
+  CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric-ca-server/tls/tls.key
+  CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric-ca-server/tls/ca.crt
  CORE_PEER_ID: org1-peer2.org1.example.com
  CORE_PEER_ADDRESS: org1-peer2:7051
  CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
@ -61,7 +83,9 @@ spec:
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric/config
-
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
@ -69,7 +93,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org1-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org1-peer2-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org1/org1-tls-cert-issuer-secret.yaml
+++ b/test-network-k8s/kube/org1/org1-tls-cert-issuer-secret.yaml
@ -0,0 +1,13 @@
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: org1-tls-cert-issuer-secret
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNLRENDQWM2Z0F3SUJBZ0lVZUZhVWpkQzNXUnlNdHU0TExaM2hlQmIyVG5Jd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEl5TURFeE9ERTRNRGt3TUZvWERUTTNNREV4TkRFNE1Ea3dNRm93YURFTE1Ba0cKQTFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5CmRtVnlNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVLdHBid0RMNStwcWV1bUNxUlAxN0ltT1gKSytxclViMTAyTU9XeE1iaDBKbExHdm1DS05DeFhjNnFNSnMvSE1uakJyaWZ2VlZUdW4xbzB4U2FGVU5wVHFOVwpNRlF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3SFFZRFZSME9CQllFCkZMUU4zVk1zRkU4SEMrZUZJZ2E5VkNTZUpqNVdNQThHQTFVZEVRUUlNQWFIQkg4QUFBRXdDZ1lJS29aSXpqMEUKQXdJRFNBQXdSUUloQU8vNGttZm5MWml2c05BZ1hRQzFYUHQrS2NyOGJGUGlRbmhzNWo5SUNJdFVBaUIrei9uZgpjdURvcjRqUFdMSjNVL1NZYnVkK1g4NEt1UzFseVNTME9Pbmpndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZzFhdXpCUk9nT1dxc3FwL1UKYlp3M2dtSk5sZlhOS3FMc2NCWUZzdmdhdWZLaFJBTkNBQVFxMmx2QU12bjZtcDY2WUtwRS9Yc2lZNWNyNnF0Ugp2WFRZdzViRXh1SFFtVXNhK1lJbzBMRmR6cW93bXo4Y3llTUd1Sis5VlZPNmZXalRGSm9WUTJsTwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t
--- a/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml
+++ b/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml
@ -0,0 +1,13 @@
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: org1-tls-cert-issuer
+spec:
+  ca:
+    secretName: org1-tls-cert-issuer-secret
--- a/test-network-k8s/kube/org2/org2-ecert-ca-tls-cert.yaml
+++ b/test-network-k8s/kube/org2/org2-ecert-ca-tls-cert.yaml
@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org2-ecert-ca-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org2-ecert-ca
+    - org2-ecert-ca.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org2-ecert-ca-tls-cert
+  issuerRef:
+    name: org2-tls-cert-issuer
--- a/test-network-k8s/kube/org2/org2-ecert-ca.yaml
+++ b/test-network-k8s/kube/org2/org2-ecert-ca.yaml
@ -30,9 +30,9 @@ spec:
            - name: FABRIC_CA_SERVER_HOME
              value: "/var/hyperledger/fabric-ca-server"
            - name: FABRIC_CA_SERVER_TLS_CERTFILE
-              value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem"
+              value: "/var/hyperledger/fabric-ca-server/tls/tls.crt"
            - name: FABRIC_CA_SERVER_TLS_KEYFILE
-              value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem"
+              value: "/var/hyperledger/fabric-ca-server/tls/tls.key"
            - name: FABRIC_CA_CLIENT_HOME
              value: "/var/hyperledger/fabric-ca-client"
          ports:
@ -43,6 +43,9 @@ spec:
            - name: fabric-config
              mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
              subPath: fabric-ecert-ca-server-config.yaml
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
          readinessProbe:
            tcpSocket:
              port: 443
@ -55,7 +58,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org2-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org2-ecert-ca-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org2/org2-peer1.yaml
+++ b/test-network-k8s/kube/org2/org2-peer1.yaml
@ -3,6 +3,27 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org2-peer1-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org2-peer1
+    - org2-peer1.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org2-peer1-tls-cert
+  issuerRef:
+    name: org2-tls-cert-issuer
+
 ---
 apiVersion: v1
 kind: ConfigMap
@ -12,9 +33,9 @@ data:
  FABRIC_CFG_PATH: /var/hyperledger/fabric/config
  FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info"
  CORE_PEER_TLS_ENABLED: "true"
-  CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/signcerts/cert.pem
-  CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/server.key
-  CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/cacerts/org2-tls-ca.pem
+  CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric-ca-server/tls/tls.crt
+  CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric-ca-server/tls/tls.key
+  CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric-ca-server/tls/ca.crt
  CORE_PEER_ID: org2-peer1.org2.example.com
  CORE_PEER_ADDRESS: org2-peer1:7051
  CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
@ -61,6 +82,9 @@ spec:
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric/config
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
@ -68,7 +92,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org2-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org2-peer1-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org2/org2-peer2.yaml
+++ b/test-network-k8s/kube/org2/org2-peer2.yaml
@ -3,6 +3,27 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org2-peer2-tls-cert
+  namespace: test-network
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org2-peer2
+    - org2-peer2.test-network.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org2-peer2-tls-cert
+  issuerRef:
+    name: org2-tls-cert-issuer
+
 ---
 apiVersion: v1
 kind: ConfigMap
@ -12,9 +33,9 @@ data:
  FABRIC_CFG_PATH: /var/hyperledger/fabric/config
  FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info"
  CORE_PEER_TLS_ENABLED: "true"
-  CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/signcerts/cert.pem
-  CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/server.key
-  CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/cacerts/org2-tls-ca.pem
+  CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric-ca-server/tls/tls.crt
+  CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric-ca-server/tls/tls.key
+  CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric-ca-server/tls/ca.crt
  CORE_PEER_ID: org2-peer2.org2.example.com
  CORE_PEER_ADDRESS: org2-peer2:7051
  CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
@ -61,7 +82,9 @@ spec:
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric/config
-
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric-ca-server/tls
+              readOnly: true
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
@ -69,7 +92,9 @@ spec:
        - name: fabric-config
          configMap:
            name: org2-config
-
+        - name: tls-cert-volume
+          secret:
+            secretName: org2-peer2-tls-cert
 ---
 apiVersion: v1
 kind: Service
--- a/test-network-k8s/kube/org2/org2-tls-cert-issuer-secret.yaml
+++ b/test-network-k8s/kube/org2/org2-tls-cert-issuer-secret.yaml
@ -0,0 +1,13 @@
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: org2-tls-cert-issuer-secret
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNKekNDQWM2Z0F3SUJBZ0lVTVdkYlZ1RGFJU1BIQnQrVE1ENlNkN21URmowd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEl5TURFeE9ERTRNRGt3TUZvWERUTTNNREV4TkRFNE1Ea3dNRm93YURFTE1Ba0cKQTFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5CmRtVnlNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVWWWNvQ2p4VXFFS1RaVThxOHJBd0c3RVMKa0Z4V3lmSjVyZGhHRktESWI1R1ZkR0lQc0NtSU03bS9TTFRQMGlCWkdTb2IwRUVJZENKMzZQWW9ldVY3NDZOVwpNRlF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3SFFZRFZSME9CQllFCkZHUlc5elBYa3V3cVdyYnBscVdYUTc5Zm5wdlVNQThHQTFVZEVRUUlNQWFIQkg4QUFBRXdDZ1lJS29aSXpqMEUKQXdJRFJ3QXdSQUlnQ1FJM3ZwVjYrN0JCL0czem9xeHNVeUtwN2ZUMlFIVTczeExBSjNMN0RXZ0NJRTB4L0xuTgpkN0U0a1BWVFFjN05hdGtSUWlzNUQ3L0djaXc4TGozaXJDL2YKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoK
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ0pnWlhOajREOWpKcVVlbzgKT3JoS2ZNVWNrenE5RTM4M29jSW15aDhPQlNHaFJBTkNBQVJWaHlnS1BGU29RcE5sVHlyeXNEQWJzUktRWEZiSgo4bm10MkVZVW9NaHZrWlYwWWcrd0tZZ3p1YjlJdE0vU0lGa1pLaHZRUVFoMEluZm85aWg2NVh2agotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
--- a/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml
+++ b/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml
@ -0,0 +1,13 @@
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: org2-tls-cert-issuer
+spec:
+  ca:
+    secretName: org2-tls-cert-issuer-secret
--- a/test-network-k8s/scripts/fabric_CAs.sh
+++ b/test-network-k8s/scripts/fabric_CAs.sh
@ -47,6 +47,46 @@ function launch_ECert_CAs() {
  pop_fn
 }

+# experimental: create TLS CA issuers using cert-manager for each org.
+function init_tls_cert_issuers() {
+  push_fn "Initializing TLS certificate issuers"
+
+  # todo: secret needs to be created before the issuer - the lag will cause an error on the first init for the issuer.
+  kubectl -n $NS delete -f kube/org0/org0-tls-cert-issuer-secret.yaml || true
+  kubectl -n $NS delete -f kube/org1/org1-tls-cert-issuer-secret.yaml || true
+  kubectl -n $NS delete -f kube/org2/org2-tls-cert-issuer-secret.yaml || true
+
+  kubectl -n $NS create -f kube/org0/org0-tls-cert-issuer-secret.yaml
+  kubectl -n $NS create -f kube/org1/org1-tls-cert-issuer-secret.yaml
+  kubectl -n $NS create -f kube/org2/org2-tls-cert-issuer-secret.yaml
+
+  # todo: find a better way to wait for the secret to be created.
+  # sleep 10
+
+  kubectl -n $NS apply -f kube/org0/org0-tls-cert-issuer.yaml
+  kubectl -n $NS apply -f kube/org1/org1-tls-cert-issuer.yaml
+  kubectl -n $NS apply -f kube/org2/org2-tls-cert-issuer.yaml
+
+  kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer
+  kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer
+  kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer
+
+  pop_fn
+}
+
+# use cert-manager to issue ECDSA TLS certificates for the ecert CA.  Replaces the bootstrap ecert user enrollment in the TLS CA
+function issue_ECert_CA_tls_certs() {
+
+  kubectl -n $NS apply -f kube/org0/org0-ecert-ca-tls-cert.yaml
+  kubectl -n $NS apply -f kube/org1/org1-ecert-ca-tls-cert.yaml
+  kubectl -n $NS apply -f kube/org2/org2-ecert-ca-tls-cert.yaml
+
+  kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org0-ecert-ca-tls-cert
+  kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org1-ecert-ca-tls-cert
+  kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org2-ecert-ca-tls-cert
+}
+
+
 # Enroll bootstrap user with TLS CA
 # https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca
 function enroll_bootstrap_TLS_CA_user() {
@ -128,7 +168,7 @@ function enroll_bootstrap_ECert_CA_user() {

  fabric-ca-client enroll \
    --url https://'${auth}'@'${ecert_ca}' \
-    --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \
+    --tls.certfiles /var/hyperledger/fabric-ca-server/tls/ca.crt \
    --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp

  ' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh
--- a/test-network-k8s/scripts/test_network.sh
+++ b/test-network-k8s/scripts/test_network.sh
@ -49,7 +49,7 @@ function launch_peers() {
 function create_org0_local_MSP() {
  echo 'set -x
  export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client
-  export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem
+  export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt

  # Each identity in the network needs a registration and enrollment.
  fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp
@ -62,20 +62,6 @@ function create_org0_local_MSP() {
  fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ecert-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp
  fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ecert-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp

-  # Each node in the network needs a TLS registration and enrollment.
-  fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
-  fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
-  fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
-
-  fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-tls-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls
-  fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-tls-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls
-  fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-tls-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls
-
-  # Copy the TLS signing keys to a fixed path for convenience when starting the orderers.
-  cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key
-  cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key
-  cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key
-
  # Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?)
  echo "NodeOUs:
    Enable: true
@ -101,7 +87,7 @@ function create_org1_local_MSP() {

  echo 'set -x
  export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client
-  export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem
+  export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt

  # Each identity in the network needs a registration and enrollment.
  fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp
@ -112,17 +98,6 @@ function create_org1_local_MSP() {
  fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-ecert-ca --csr.hosts org1-peer2,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp
  fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ecert-ca  --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp

-  # Each node in the network needs a TLS registration and enrollment.
-  fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
-  fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
-
-  fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-tls-ca --csr.hosts org1-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls
-  fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-tls-ca --csr.hosts org1-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls
-
-  # Copy the TLS signing keys to a fixed path for convenience when launching the peers
-  cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/server.key
-  cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/server.key
-
  cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key

  # Create local MSP config.yaml
@ -151,7 +126,7 @@ function create_org1_local_MSP() {
 function create_org2_local_MSP() {
  echo 'set -x
  export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client
-  export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem
+  export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt

  # Each identity in the network needs a registration and enrollment.
  fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp
@ -162,17 +137,6 @@ function create_org2_local_MSP() {
  fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-ecert-ca --csr.hosts org2-peer2,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp
  fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ecert-ca  --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp

-  # Each node in the network needs a TLS registration and enrollment.
-  fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
-  fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
-
-  fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-tls-ca --csr.hosts org2-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls
-  fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-tls-ca --csr.hosts org2-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls
-
-  # Copy the TLS signing keys to a fixed path for convenience when launching the peers
-  cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/server.key
-  cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/server.key
-
  cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/server.key

  # Create local MSP config.yaml
@ -214,16 +178,19 @@ function network_up() {
  load_org_config

  # Network TLS CAs
-  launch_TLS_CAs
-  enroll_bootstrap_TLS_CA_users
+#  launch_TLS_CAs
+#  enroll_bootstrap_TLS_CA_users
+  init_tls_cert_issuers

  # Network ECert CAs
-  register_enroll_ECert_CA_bootstrap_users
+  #register_enroll_ECert_CA_bootstrap_users
+  issue_ECert_CA_tls_certs
  launch_ECert_CAs
  enroll_bootstrap_ECert_CA_users

  # Test Network
  create_local_MSP
+
  launch_orderers
  launch_peers
 }