# Step 5: Enroll an Administrative User Step 5: Enroll the Member Admin In this step, you use a pre-configured certificate to enroll a user with administrative permissions to your member's certificate authority (CA). To do this, you must create a certificate file. You also need the endpoint for the CA of your member, and the user name and password for the user that you created in [Step 1: Create the Network and First Member](get-started-create-network.md). ## Step 5.1: Create the Certificate File 5.1: Create the Certificate File Run the following command to copy the `managedblockchain-tls-chain.pem` to the `/home/ec2-user` directory. Replace `MyRegion` with the AWS Region you are using—for example, `us-east-1`. ``` aws s3 cp s3://MyRegion.managedblockchain/etc/managedblockchain-tls-chain.pem /home/ec2-user/managedblockchain-tls-chain.pem ``` If the command fails with a permissions error, ensure that a service role associated with the EC2 instance allows access to the Amazon S3 bucket location. For more information see [Example IAM Role Permissions Policy for Hyperledger Fabric Client EC2 Instance](security_iam_hyperledger_ec2_client.md). Run the following command to test that you copied the contents to the file correctly: ``` openssl x509 -noout -text -in /home/ec2-user/managedblockchain-tls-chain.pem ``` The command should return the contents of the certificate in human-readable format. ## Step 5.2: Enroll the Administrative User 5.2 Enroll the Admin AMB Access registers the user identity that you specified when you created the member as an administrator. In Hyperledger Fabric, this user is known as the *bootstrap identity* because the identity is used to enroll itself. To enroll, you need the CA endpoint, as well as the user name and password for the administrator that you created in [Step 1: Create the Network and First Member](get-started-create-network.md). For information about registering other user identities as administrators before you enroll them, see [Register and Enroll a Hyperledger Fabric Admin](managed-blockchain-hyperledger-create-admin.md). Use the `get-member` command to get the CA endpoint for your membership as shown in the following example. Replace the values of `--network-id` and `--member-id` with the values returned in [Step 1: Create the Network and First Member](get-started-create-network.md). ``` aws managedblockchain get-member \ --network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \ --member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A ``` The command returns information about the initial member that you created in the network, as shown in the following example. Make a note of the `CaEndpoint`. You also need the `AdminUsername` and password that you created along with the network. The command returns output similar to the following: ``` { "Member": { "NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU", "Status": "AVAILABLE", "Description": "MyNetDescription", "FrameworkAttributes": { "Fabric": { "CaEndpoint": "ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002", "AdminUsername": "Example-AdminUser" } }, "StatusReason": "Network member created successfully", "CreationDate": 1542255358.74, "Id": "m-K46ICRRXJRCGRNNS4ES4XUUS5A", "Name": "org1" } } ``` Use the CA endpoint, administrator profile, and the certificate file to enroll the member administrator using the `fabric-ca-client enroll` command, as shown in the following example: ``` fabric-ca-client enroll \ -u 'https://${AdminUsername}:${AdminPassword}@$CASERVICEENDPOINT' \ --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp ``` To use this command, you will need to set the following environment variables: + **AdminUsername** — The admin username. + **AdminPassword** — The admin password. **Warning** Always use variables in your code to pass user credentials. For more information, see [Move hard-coded credentials to AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/hardcoded.html) An example command with fictitious administrator name, password, and endpoint is shown in the following example: ``` fabric-ca-client enroll \ -u https://Example-AdminUser:Example-Password123@ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002 \ --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp ``` The command returns output similar to the following: ``` 2018/11/16 02:21:40 [INFO] Created a default configuration file at /home/ec2-user/.fabric-ca-client/fabric-ca-client-config.yaml 2018/11/16 02:21:40 [INFO] TLS Enabled 2018/11/16 02:21:40 [INFO] generating key: &{A:ecdsa S:256} 2018/11/16 02:21:40 [INFO] encoded CSR 2018/11/16 02:21:40 [INFO] Stored client certificate at /home/ec2-user/admin-msp/signcerts/cert.pem 2018/11/16 02:21:40 [INFO] Stored root CA certificate at /home/ec2-user/admin-msp/cacerts/ca-abcd1efghijkllmn5op3q52rst-uqz2f2xakfd7vcfewqhckr7q5m-managedblockchain-us-east-1-amazonaws-com-30002.pem ``` **Important** It may take a minute or two after you enroll for you to be able to use your administrator certificate to create a channel with the ordering service. ## Step 5.3: Copy Certificates for the MSP 5.3: Copy Certificates In Hyperledger Fabric, the Membership Service Provider (MSP) identifies which root CAs and intermediate CAs are trusted to define the members of a trust domain. Certificates for the administrator's MSP are in `/home/ec2-user/admin-msp` in this tutorial. Because this MSP is for the member administrator, copy the certificates from `signcerts` to `admincerts` as shown in the following example. The example assumes you are in the `/home/ec2-user` directory when running the command. ``` cp -r /home/ec2-user/admin-msp/signcerts admin-msp/admincerts ```