hyperledger · gengur · Jan 21, 2026
diff --git a/common/tools/armageddon/cryptogen.go b/common/tools/armageddon/cryptogen.go
@@ -552,7 +552,19 @@ func copyFile(src, dst string) error {
 	return err
 }
 
-func CreateNewCertificateFromCA(caCertPath string, caPrivateKeyPath string, pathToNewTLSCert string, pathToNewTLSKey string, nodesIPs []string) ([]byte, error) {
+func CreateNewCertificateFromCA(caCertPath string, caPrivateKeyPath string, certType string, pathToNewCert string, pathToNewPrivateKey string, nodesIPs []string) ([]byte, error) {
+	var ku x509.KeyUsage
+	switch certType {
+	case "tls":
+		certType = "tls"
+		ku = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
+	case "sign":
+		certType = "sign"
+		ku = x509.KeyUsageDigitalSignature
+	default:
+		return nil, fmt.Errorf("unsupported cert type: %s", certType)
+	}
+
 	caCertBytes, err := utils.ReadPem(caCertPath)
 	if err != nil {
 		return nil, err
@@ -595,20 +607,20 @@ func CreateNewCertificateFromCA(caCertPath string, caPrivateKeyPath string, path
 		return nil, fmt.Errorf("failed marshaling private key, err: %s", err)
 	}
 
-	_, err = ca.SignCertificate(pathToNewTLSCert, "tls", nil, nodesIPs, GetPublicKey(privateKey), x509.KeyUsageCertSign|x509.KeyUsageCRLSign, []x509.ExtKeyUsage{
+	_, err = ca.SignCertificate(pathToNewCert, certType, nil, nodesIPs, GetPublicKey(privateKey), ku, []x509.ExtKeyUsage{
 		x509.ExtKeyUsageClientAuth,
 		x509.ExtKeyUsageServerAuth,
 	})
 	if err != nil {
 		return nil, err
 	}
 
-	err = utils.WritePEMToFile(pathToNewTLSKey, "PRIVATE KEY", privateKeyBytes)
+	err = utils.WritePEMToFile(pathToNewPrivateKey, "PRIVATE KEY", privateKeyBytes)
 	if err != nil {
 		return nil, err
 	}
 
-	newCertBytes, err := os.ReadFile(filepath.Join(pathToNewTLSCert, "tls-cert.pem"))
+	newCertBytes, err := os.ReadFile(filepath.Join(pathToNewCert, fmt.Sprintf("%s-cert.pem", certType)))
 	if err != nil {
 		return nil, err
 	}

diff --git a/common/utils/net.go b/common/utils/net.go
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 package utils
 
 import (
+	"bytes"
 	"context"
 	"crypto/x509"
 	"fmt"
@@ -64,6 +65,20 @@ func CertificateBytesToString(cert []byte) (string, error) {
 	return CertificateToString(x509Cert), nil
 }
 
+func AreCertificatesEqual(cert1, cert2 []byte) (bool, error) {
+	x509Cert1, err := Parsex509Cert(cert1)
+	if err != nil {
+		return false, err
+	}
+	x509Cert2, err := Parsex509Cert(cert2)
+	if err != nil {
+		return false, err
+	}
+
+	// Compare RawTBSCertificate fields
+	return bytes.Equal(x509Cert1.RawTBSCertificate, x509Cert2.RawTBSCertificate), nil
+}
+
 func CertificateToString(cert *x509.Certificate) string {
 	var sb strings.Builder
 	fmt.Fprintf(&sb, "Certificate:\n")

diff --git a/config/config.go b/config/config.go
@@ -698,7 +698,11 @@ func (config *Configuration) CheckIfBatcherNodeExistsInSharedConfig(localSignCer
 		return fmt.Errorf("batcher in shard%d does not exist for party%d in the shared config", localShardID, localPartyID)
 	}
 
-	if !bytes.Equal(localTLSCert, sharedBatcherConfig.TlsCert) {
+	equal, err := utils.AreCertificatesEqual(localTLSCert, sharedBatcherConfig.TlsCert)
+	if err != nil {
+		return err
+	}
+	if !equal {
 		localTLSCertString, err := utils.CertificateBytesToString(localTLSCert)
 		if err != nil {
 			return err
@@ -710,7 +714,11 @@ func (config *Configuration) CheckIfBatcherNodeExistsInSharedConfig(localSignCer
 		return fmt.Errorf("certificate mismatch: the batcher of party %d shard %d is attempting to load with TLS certificate: %v that differs from the shared configuration TLS certificate: %v", localPartyID, localShardID, localTLSCertString, sharedTLSCertString)
 	}
 
-	if !bytes.Equal(localSignCert, sharedBatcherConfig.SignCert) {
+	equal, err = utils.AreCertificatesEqual(localSignCert, sharedBatcherConfig.SignCert)
+	if err != nil {
+		return err
+	}
+	if !equal {
 		localSignCertString, err := utils.CertificateBytesToString(localSignCert)
 		if err != nil {
 			return err
@@ -738,7 +746,11 @@ func (config *Configuration) CheckIfConsenterNodeExistsInSharedConfig(localSignC
 			return fmt.Errorf("consenter configuration of partyID %d is missing from the shared configuration: %+v", localPartyID, sharedPartyConfig)
 		}
 
-		if !bytes.Equal(localSignCert, sharedPartyConfig.ConsenterConfig.SignCert) {
+		equal, err := utils.AreCertificatesEqual(localSignCert, sharedPartyConfig.ConsenterConfig.SignCert)
+		if err != nil {
+			return err
+		}
+		if !equal {
 			localSignCertString, err := utils.CertificateBytesToString(localSignCert)
 			if err != nil {
 				return err
@@ -750,7 +762,11 @@ func (config *Configuration) CheckIfConsenterNodeExistsInSharedConfig(localSignC
 			return fmt.Errorf("sign certificate mismatch: Consenter%d is attempting to load with sign certificate: %v that differs from the shared configuration sign certificate: %v", localPartyID, localSignCertString, sharedSignCertString)
 		}
 
-		if !bytes.Equal(localTLSCert, sharedPartyConfig.ConsenterConfig.TlsCert) {
+		equal, err = utils.AreCertificatesEqual(localTLSCert, sharedPartyConfig.ConsenterConfig.TlsCert)
+		if err != nil {
+			return err
+		}
+		if !equal {
 			localTLSCertString, err := utils.CertificateBytesToString(localTLSCert)
 			if err != nil {
 				return err
@@ -776,7 +792,11 @@ func (config *Configuration) CheckIfAssemblerNodeExistsInSharedConfig() error {
 			if sharedPartyConfig.AssemblerConfig == nil {
 				return fmt.Errorf("assembler configuration of partyID %d is missing from the shared configuration: %+v", localPartyID, sharedPartyConfig)
 			}
-			if !bytes.Equal(localTLSCert, sharedPartyConfig.AssemblerConfig.TlsCert) {
+			equal, err := utils.AreCertificatesEqual(localTLSCert, sharedPartyConfig.AssemblerConfig.TlsCert)
+			if err != nil {
+				return err
+			}
+			if !equal {
 				localTLSCertString, err := utils.CertificateBytesToString(localTLSCert)
 				if err != nil {
 					return err

diff --git a/node/consensus/consensus_real_reconfig_test.go b/node/consensus/consensus_real_reconfig_test.go
@@ -165,7 +165,7 @@ func TestConsensusWithRealConfigUpdate(t *testing.T) {
 		caPrivKeyPath := filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", consenterToUpdate), "tlsca", "priv_sk")
 		newCertPath := filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", consenterToUpdate), "orderers", fmt.Sprintf("party%d", consenterToUpdate), "consenter", "tls")
 		newKeyPath := filepath.Join(dir, "crypto", "ordererOrganizations", fmt.Sprintf("org%d", consenterToUpdate), "orderers", fmt.Sprintf("party%d", consenterToUpdate), "consenter", "tls", "key.pem")
-		newCert, err := armageddon.CreateNewCertificateFromCA(caCertPath, caPrivKeyPath, newCertPath, newKeyPath, nodesIPs)
+		newCert, err := armageddon.CreateNewCertificateFromCA(caCertPath, caPrivKeyPath, "tls", newCertPath, newKeyPath, nodesIPs)
 		require.NoError(t, err)
 		configUpdatePbData := configUpdateBuilder.UpdateConsensusTLSCert(t, consenterToUpdate, newCert)
 		env := configutil.CreateConfigTX(t, dir, parties, 1, configUpdatePbData)