+
+
+[](https://hyperledger-fabric.readthedocs.io/)
+[](https://kubernetes.io/)
+[](https://opensource.org/licenses/Apache-2.0)
+[](#)
+
+---
+
+## 🌍 Overview
+
+The Hyperledger Fabric Treetracker Network is a blockchain-based solution designed to provide transparent, immutable tracking of tree planting initiatives and carbon offset programs. Built for [Greenstand](https://greenstand.org/) and partners, this network ensures accountability in environmental restoration projects through distributed ledger technology.
+
+### Key Features
+
+- **🔒 Immutable Tree Records** - Every tree planting event is permanently recorded on the blockchain
+- **🤝 Multi-Organization Network** - Supports Greenstand, CBOs, Investors, and Verifiers
+- **🌐 Public Transparency** - All stakeholders can verify tree planting data
+- **📊 Real-time Analytics** - Live dashboards for monitoring forest restoration progress
+- **🔐 Enterprise Security** - Certificate-based authentication and TLS encryption
+- **📈 Scalable Infrastructure** - Kubernetes-based deployment supporting global operations
+
+---
+
+## 🏗️ Network Architecture
+
+### Organizations
+
+| Organization | Role | Peers | Description |
+|--------------|------|-------|-------------|
+| **Greenstand** | Network Admin | 3 | Primary tree tracking organization |
+| **CBO** | Tree Planters | 2 | Community-Based Organizations |
+| **Investor** | Funders | 2 | Carbon offset purchasers |
+| **Verifier** | Validators | 1 | Independent verification entities |
+
+### Network Components
+
+- **🏦 Ordering Service**: 5-node Raft consensus cluster
+- **🔐 Certificate Authorities**: 5 CAs (1 Root + 4 Organization CAs)
+- **📊 Monitoring**: Prometheus + Grafana stack
+- **🗄️ Storage**: Persistent volumes with automatic backup
+- **🌐 API Gateway**: RESTful APIs for external integration
+
+---
+
+## 🚀 Quick Start
+
+### Prerequisites
+
+- **Kubernetes Cluster**: v1.23+ with 5+ nodes
+- **Storage**: 500GB+ SSD with dynamic provisioning
+- **Resources**: 32+ CPU cores, 64GB+ RAM
+- **Network**: LoadBalancer support for external access
+
+### 1. Clone the Repository
+
+```bash
+git clone https://github.com/Greenstand/hyperledger-fabric-network.git
+cd hyperledger-fabric-network
+```
+
+### 2. Deploy the Network
+
+```bash
+# Deploy complete network infrastructure
+./scripts/deploy-treetracker-network.sh
+
+# Create channels
+./scripts/create-channels.sh
+
+# Deploy chaincode
+./scripts/deploy-chaincode.sh
+
+# Verify deployment
+./scripts/test-network.sh
+```
+
+### 3. Access the Network
+
+```bash
+# Get network status
+kubectl get pods --all-namespaces | grep hlf-
+
+# Access API Gateway
+kubectl port-forward svc/api-gateway 8080:80 -n treetracker-apps
+
+# View monitoring dashboard
+kubectl port-forward svc/grafana 3000:3000 -n monitoring
+```
+
+---
+
+## 📚 Documentation
+
+Comprehensive documentation is available in the `/docs` directory:
+
+### For Users & Operators
+- 📖 **[User Manual](docs/TREETRACKER_USER_MANUAL.md)** - Complete user guide for network operations
+- 🛠️ **[Deployment Guide](docs/TREETRACKER_DEPLOYMENT_GUIDE.md)** - Step-by-step deployment instructions
+
+### For Developers
+- 💻 **[Integration Manual](docs/TREETRACKER_INTEGRATION_MANUAL.md)** - SDK usage and API integration
+- 🏗️ **[Architecture Guide](docs/TREETRACKER_ARCHITECTURE_GUIDE.md)** - Network design and component details
+
+### Quick Reference
+- [API Documentation](docs/TREETRACKER_INTEGRATION_MANUAL.md#api-reference)
+- [Chaincode Functions](docs/TREETRACKER_INTEGRATION_MANUAL.md#chaincode-development)
+- [Troubleshooting Guide](docs/TREETRACKER_DEPLOYMENT_GUIDE.md#troubleshooting)
+- [Monitoring & Alerts](docs/TREETRACKER_ARCHITECTURE_GUIDE.md#monitoring-and-observability)
+
+---
+
+## 🌐 Network Endpoints
+
+### Production Network
+- **API Gateway**: `https://api.treetracker.network`
+- **Blockchain Explorer**: `https://explorer.treetracker.network`
+- **Monitoring Dashboard**: `https://monitoring.treetracker.network`
+
+### Development Network
+- **API Gateway**: `http://localhost:8080`
+- **Grafana**: `http://localhost:3000`
+- **Prometheus**: `http://localhost:9090`
+
+---
+
+## 🔧 Directory Structure
+
+```
+hyperledger-fabric-network/
+├── 📁 chaincode/ # Smart contracts
+│ └── treetracker/ # Tree tracking chaincode (Go)
+├── 📁 config/ # Network configuration
+│ ├── configtx.yaml # Channel configuration
+│ ├── crypto-config.yaml # Certificate configuration
+│ └── network-config.yaml # Main network settings
+├── 📁 docs/ # Documentation
+│ ├── TREETRACKER_USER_MANUAL.md
+│ ├── TREETRACKER_INTEGRATION_MANUAL.md
+│ ├── TREETRACKER_ARCHITECTURE_GUIDE.md
+│ └── TREETRACKER_DEPLOYMENT_GUIDE.md
+├── 📁 k8s/ # Kubernetes manifests
+│ ├── ca/ # Certificate Authority deployments
+│ ├── orderer/ # Orderer node deployments
+│ ├── peers/ # Peer node deployments
+│ └── monitoring/ # Monitoring stack
+├── 📁 scripts/ # Deployment and management scripts
+│ ├── deploy-treetracker-network.sh
+│ ├── create-channels.sh
+│ ├── deploy-chaincode.sh
+│ └── test-network.sh
+└── 📁 api/ # REST API gateway
+ ├── nodejs/ # Node.js SDK integration
+ └── gateway/ # API Gateway service
+```
+
+---
+
+## 🔐 Security Features
+
+### Certificate Management
+- **Root CA**: Self-signed root certificate authority
+- **Organization CAs**: Individual CAs for each organization
+- **TLS Encryption**: All network communication encrypted
+- **Certificate Rotation**: Automated certificate lifecycle management
+
+### Network Security
+- **RBAC**: Role-based access control for all operations
+- **Network Policies**: Kubernetes network segmentation
+- **Mutual TLS**: Peer-to-peer authentication
+- **HSM Support**: Hardware security module integration (optional)
+
+### Data Privacy
+- **Channel Isolation**: Private data channels between organizations
+- **Endorsement Policies**: Multi-signature transaction validation
+- **Audit Trails**: Immutable transaction logs
+- **Data Encryption**: At-rest and in-transit encryption
+
+---
+
+## 📊 Monitoring & Observability
+
+### Metrics Collection
+- **Peer Metrics**: Transaction throughput, ledger size, endorsement latency
+- **Orderer Metrics**: Block creation rate, consensus performance
+- **Network Metrics**: Channel health, certificate status
+- **Application Metrics**: API response times, chaincode execution
+
+### Alerting
+- **Network Health**: Peer/orderer downtime alerts
+- **Performance**: Transaction latency thresholds
+- **Security**: Certificate expiration warnings
+- **Capacity**: Storage and resource utilization
+
+### Dashboards
+- **Executive Dashboard**: High-level KPIs and network status
+- **Operations Dashboard**: Detailed technical metrics
+- **Business Dashboard**: Tree planting progress and carbon metrics
+
+---
+
+## 🧪 Testing & Quality Assurance
+
+### Test Coverage
+- **Unit Tests**: Chaincode function testing
+- **Integration Tests**: End-to-end network testing
+- **Performance Tests**: Load testing and benchmarking
+- **Security Tests**: Penetration testing and vulnerability scans
+
+### Continuous Integration
+- **Automated Testing**: GitHub Actions CI/CD pipeline
+- **Code Quality**: SonarQube analysis
+- **Security Scanning**: Container and dependency scanning
+- **Deployment Testing**: Automated deployment validation
+
+---
+
+## 🚀 Deployment Options
+
+### Cloud Providers
+- **AWS**: EKS with managed services
+- **Google Cloud**: GKE with Cloud SQL
+- **Azure**: AKS with Azure Storage
+- **DigitalOcean**: DOKS with block storage
+
+### On-Premises
+- **Bare Metal**: Direct Kubernetes installation
+- **VMware**: vSphere with Tanzu
+- **OpenShift**: Red Hat OpenShift platform
+
+### Development
+- **Kind**: Local Kubernetes in Docker
+- **Minikube**: Single-node local cluster
+- **Docker Compose**: Simplified local development
+
+---
+
+## 🤝 Contributing
+
+We welcome contributions from the community! Please see our [Contributing Guidelines](CONTRIBUTING.md) for details.
+
+### Development Workflow
+1. Fork the repository
+2. Create a feature branch
+3. Make your changes with tests
+4. Submit a pull request
+
+### Code Standards
+- **Go**: Follow Go best practices for chaincode
+- **JavaScript**: ESLint configuration for API code
+- **Documentation**: Update docs for any API changes
+- **Testing**: Maintain 80%+ test coverage
+
+---
+
+## 📞 Support & Community
+
+### Getting Help
+- **Documentation**: Comprehensive guides in `/docs`
+- **GitHub Issues**: Bug reports and feature requests
+- **Discord**: Real-time community support
+- **Email**: technical-support@greenstand.org
+
+### Community Resources
+- **Greenstand Website**: [https://greenstand.org](https://greenstand.org)
+- **Slack Channel**: [#treetracker-blockchain](https://greenstand.slack.com)
+- **Developer Forum**: [https://forum.greenstand.org](https://forum.greenstand.org)
+
+---
+
+## 📈 Roadmap
+
+### Current Release (v1.0)
+- ✅ Multi-organization network
+- ✅ Tree tracking chaincode
+- ✅ Kubernetes deployment
+- ✅ Monitoring and alerting
+
+### Next Release (v1.1)
+- 🔄 Mobile wallet integration
+- 🔄 Carbon credit tokenization
+- 🔄 Enhanced analytics dashboard
+- 🔄 Multi-chain interoperability
+
+### Future Releases
+- 📋 IoT sensor integration
+- 📋 Satellite imagery verification
+- 📋 Machine learning analytics
+- 📋 Cross-border payment rails
+
+---
+
+## 📄 License
+
+This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.
+
+---
+
+## 🙏 Acknowledgments
+
+- **Hyperledger Foundation**: For the excellent Fabric framework
+- **Greenstand Team**: For environmental vision and leadership
+- **Open Source Community**: For tools, libraries, and inspiration
+- **Tree Planting Partners**: CBOs worldwide making real impact
+
+---
+
+**🌱 Together, we're growing a more transparent and sustainable future through blockchain technology! 🌱**
+
+
diff --git a/hyperledger-fabric-network/ca/DOCUMENTATION_INDEX.md b/hyperledger-fabric-network/ca/DOCUMENTATION_INDEX.md
new file mode 100644
index 0000000..cbbe0c5
--- /dev/null
+++ b/hyperledger-fabric-network/ca/DOCUMENTATION_INDEX.md
@@ -0,0 +1,183 @@
+# CA Infrastructure Documentation Index
+
+## Document Overview
+
+This directory contains comprehensive documentation for the Hyperledger Fabric Certificate Authority infrastructure. The documentation is organized into several key areas covering different aspects of CA management and operations.
+
+## Documentation Structure
+
+### 📋 Core Documentation
+
+| Document | Purpose | Audience | Last Updated |
+|----------|---------|----------|--------------|
+| [`README.md`](README.md) | Overview and quick start guide | All users | 2024-09-02 |
+| [`TECHNICAL_SPECS.md`](TECHNICAL_SPECS.md) | Technical specifications and architecture | Engineers, Architects | 2024-09-02 |
+| [`OPERATIONAL_PROCEDURES.md`](OPERATIONAL_PROCEDURES.md) | Daily operations and maintenance | Operations Teams | 2024-09-02 |
+| [`SECURITY_PROCEDURES.md`](SECURITY_PROCEDURES.md) | Security protocols and incident response | Security Teams | 2024-09-02 |
+
+### 📁 Directory Documentation
+
+| Component | Location | Documentation |
+|-----------|----------|---------------|
+| **Helm Charts** | `helm-charts/` | Individual chart README files |
+| **Scripts** | `scripts/` | Script headers and inline documentation |
+| **Fabric CA Configs** | `fabric-ca/` | Configuration file comments |
+| **Certificate Monitor** | `../monitoring/` | Integration documentation |
+
+## Quick Reference Guide
+
+### 🚀 Getting Started
+
+**New to CA infrastructure?**
+1. Start with [`README.md`](README.md) for overview and quick start
+2. Review [`TECHNICAL_SPECS.md`](TECHNICAL_SPECS.md) for architecture understanding
+3. Follow deployment procedures in scripts documentation
+
+**Operations team?**
+1. Focus on [`OPERATIONAL_PROCEDURES.md`](OPERATIONAL_PROCEDURES.md)
+2. Review daily/weekly/monthly procedures
+3. Familiarize with troubleshooting procedures
+
+**Security team?**
+1. Study [`SECURITY_PROCEDURES.md`](SECURITY_PROCEDURES.md)
+2. Review incident response procedures
+3. Understand compliance requirements
+
+### 🔍 Common Tasks
+
+| Task | Primary Document | Supporting Documents |
+|------|------------------|---------------------|
+| **Deploy new CA** | README.md | TECHNICAL_SPECS.md |
+| **Certificate renewal** | OPERATIONAL_PROCEDURES.md | SECURITY_PROCEDURES.md |
+| **Backup/restore** | OPERATIONAL_PROCEDURES.md | TECHNICAL_SPECS.md |
+| **Incident response** | SECURITY_PROCEDURES.md | OPERATIONAL_PROCEDURES.md |
+| **Performance tuning** | TECHNICAL_SPECS.md | OPERATIONAL_PROCEDURES.md |
+| **Security hardening** | SECURITY_PROCEDURES.md | TECHNICAL_SPECS.md |
+
+## Document Contents Summary
+
+### [`README.md`](README.md)
+- **Overview**: CA infrastructure introduction and architecture
+- **Quick Start**: Step-by-step deployment guide
+- **Directory Structure**: File and folder organization
+- **Basic Operations**: Common commands and procedures
+- **Troubleshooting**: Common issues and solutions
+- **Integration**: How CA integrates with other systems
+
+### [`TECHNICAL_SPECS.md`](TECHNICAL_SPECS.md)
+- **System Architecture**: Technical design and component relationships
+- **Container Specifications**: Resource requirements and configurations
+- **Network Configuration**: Security, ports, and communication
+- **API Documentation**: REST APIs and CLI commands
+- **Performance Metrics**: Scalability limits and capacity planning
+- **Configuration Management**: Environment variables and ConfigMaps
+- **Version Management**: Upgrade procedures and compatibility
+
+### [`OPERATIONAL_PROCEDURES.md`](OPERATIONAL_PROCEDURES.md)
+- **Standard Operating Procedures**: Daily, weekly, monthly tasks
+- **Incident Response**: Emergency procedures and escalation
+- **Maintenance Procedures**: Planned maintenance and updates
+- **Monitoring Procedures**: Health checks and performance monitoring
+- **Backup/Restore**: Complete data protection procedures
+- **Change Management**: Configuration and version changes
+
+### [`SECURITY_PROCEDURES.md`](SECURITY_PROCEDURES.md)
+- **Security Framework**: Objectives and access control
+- **Cryptographic Security**: Key management and certificate validation
+- **Network Security**: Segmentation and TLS configuration
+- **Incident Response**: Security incident classification and response
+- **Compliance**: Audit procedures and regulatory requirements
+- **Security Hardening**: Container and network security measures
+
+## Documentation Maintenance
+
+### 📝 Update Schedule
+
+| Document Type | Update Frequency | Trigger Events |
+|---------------|------------------|----------------|
+| **README.md** | Quarterly | Major feature additions, structural changes |
+| **TECHNICAL_SPECS.md** | Bi-annually | Version upgrades, architecture changes |
+| **OPERATIONAL_PROCEDURES.md** | Monthly | Process improvements, new procedures |
+| **SECURITY_PROCEDURES.md** | Quarterly | Security policy changes, incident learnings |
+
+### ✍️ Contributing to Documentation
+
+#### Documentation Standards
+- **Format**: Markdown with consistent styling
+- **Code Blocks**: Include language identifiers and executable examples
+- **Version Control**: All changes tracked in git
+- **Review Process**: Technical review required for procedure changes
+
+#### Update Process
+1. **Identify Changes**: Document what needs updating
+2. **Draft Updates**: Create updated content following standards
+3. **Technical Review**: Review for accuracy and completeness
+4. **Security Review**: Security procedures require security team review
+5. **Approval**: Platform lead approval for operational changes
+6. **Deployment**: Update files and notify relevant teams
+
+### 🔄 Document Relationships
+
+```mermaid
+graph LR
+ A[README.md] --> B[TECHNICAL_SPECS.md]
+ A --> C[OPERATIONAL_PROCEDURES.md]
+ B --> C
+ B --> D[SECURITY_PROCEDURES.md]
+ C --> D
+
+ E[Scripts] --> C
+ F[Helm Charts] --> A
+ F --> B
+ G[Monitoring] --> C
+ G --> D
+```
+
+## Additional Resources
+
+### 🔗 External References
+
+| Resource | Link | Purpose |
+|----------|------|---------|
+| **Hyperledger Fabric CA Documentation** | [Official Docs](https://hyperledger-fabric-ca.readthedocs.io/) | Official reference |
+| **Kubernetes Documentation** | [k8s.io](https://kubernetes.io/docs/) | Platform reference |
+| **Helm Documentation** | [helm.sh](https://helm.sh/docs/) | Deployment tools |
+| **Security Best Practices** | [NIST Framework](https://www.nist.gov/cyberframework) | Security guidelines |
+
+### 📞 Support and Contact
+
+| Type | Contact | Purpose |
+|------|---------|---------|
+| **Technical Support** | Platform Team | Infrastructure issues |
+| **Security Issues** | Security Team | Security incidents, vulnerabilities |
+| **Documentation Updates** | Documentation Team | Content improvements |
+| **Emergency Escalation** | On-call Manager | Critical incidents |
+
+## Version History
+
+| Version | Date | Changes | Author |
+|---------|------|---------|--------|
+| 1.0 | 2024-09-02 | Initial documentation creation | System |
+| | | Complete CA infrastructure documentation | |
+| | | Security procedures and compliance | |
+| | | Operational procedures and monitoring | |
+
+## Compliance and Governance
+
+### 📋 Document Classification
+- **README.md**: Internal Use
+- **TECHNICAL_SPECS.md**: Internal Use
+- **OPERATIONAL_PROCEDURES.md**: Internal Use
+- **SECURITY_PROCEDURES.md**: Confidential
+
+### 🔒 Access Control
+- **Read Access**: All development and operations team members
+- **Write Access**: Platform leads, documentation maintainers
+- **Security Docs**: Security team approval required for changes
+
+### 📊 Usage Analytics
+- Documentation access patterns monitored
+- Most frequently accessed sections identified
+- User feedback collected for improvements
+
+This documentation index provides a comprehensive overview of all CA infrastructure documentation, helping users quickly find the information they need for their specific roles and tasks.
diff --git a/hyperledger-fabric-network/ca/README.md b/hyperledger-fabric-network/ca/README.md
new file mode 100644
index 0000000..9f2b387
--- /dev/null
+++ b/hyperledger-fabric-network/ca/README.md
@@ -0,0 +1,275 @@
+# Hyperledger Fabric Certificate Authority (CA) Documentation
+
+This directory contains the complete Certificate Authority infrastructure for the Hyperledger Fabric network, including Root CA, Intermediate CAs, deployment scripts, and management tools.
+
+## Overview
+
+The CA infrastructure provides:
+- **Root CA**: Central certificate authority for the network
+- **Intermediate CAs**: Organization-specific certificate authorities (CBO, Investor, Verifier, Greenstand)
+- **Automated enrollment**: Scripts for identity registration and certificate enrollment
+- **Kubernetes deployment**: Helm charts for scalable CA deployment
+- **Backup/restore**: Complete CA data backup and restoration capabilities
+
+## Directory Structure
+
+```
+ca/
+├── helm-charts/ # Helm deployment charts
+│ ├── root-ca/ # Root CA deployment
+│ ├── cbo-ca/ # CBO organization CA
+│ ├── investor-ca/ # Investor organization CA
+│ ├── verifier-ca/ # Verifier organization CA
+│ ├── greenstand-ca/ # Greenstand organization CA
+│ └── fabric-ca-client/ # CA client pod deployment
+├── scripts/ # Management and deployment scripts
+│ ├── create-ca-secrets.sh # Kubernetes secret creation
+│ ├── enroll-admin.sh # Admin enrollment
+│ ├── register-identities.sh # Identity registration
+│ ├── enroll-ica.sh # Intermediate CA enrollment
+│ ├── backup-ca.sh # CA backup script
+│ └── restore-ca.sh # CA restoration script
+├── fabric-ca/ # CA server configurations
+│ ├── root-ca/
+│ ├── cbo-ca/
+│ ├── investor-ca/
+│ ├── verifier-ca/
+│ └── greenstand-ca/
+└── README.md # This documentation
+```
+
+## Certificate Authority Hierarchy
+
+```
+Root CA (root-ca)
+├── CBO-CA (cbo-ca) # CBO organization certificates
+├── Investor-CA (investor-ca) # Investor organization certificates
+├── Verifier-CA (verifier-ca) # Verifier organization certificates
+└── Greenstand-CA (greenstand-ca) # Greenstand organization certificates
+```
+
+## Quick Start
+
+### 1. Deploy Root CA
+```bash
+cd helm-charts/root-ca
+helm install root-ca . -n hlf-ca --create-namespace
+```
+
+### 2. Deploy CA Client
+```bash
+cd helm-charts/fabric-ca-client
+kubectl apply -f fabric-ca-client.yaml
+```
+
+### 3. Enroll Admin
+```bash
+cd scripts
+./enroll-admin.sh
+```
+
+### 4. Register Intermediate CAs
+```bash
+./register-identities.sh
+```
+
+### 5. Deploy Intermediate CAs
+```bash
+cd ../helm-charts/cbo-ca
+helm install cbo-ca . -n hlf-ca
+
+cd ../investor-ca
+helm install investor-ca . -n hlf-ca
+
+cd ../verifier-ca
+helm install verifier-ca . -n hlf-ca
+```
+
+### 6. Enroll Intermediate CAs
+```bash
+cd ../../scripts
+./enroll-ica.sh
+```
+
+### 7. Create Kubernetes Secrets
+```bash
+./create-ca-secrets.sh
+```
+
+## Configuration
+
+### Root CA Configuration
+- **Image**: hyperledger/fabric-ca:1.5.12
+- **Port**: 7054
+- **Storage**: 2Gi persistent volume
+- **TLS**: Enabled with custom certificates
+- **Database**: SQLite3 (configurable to PostgreSQL/MySQL)
+
+### Intermediate CA Configuration
+- **Parent**: Root CA
+- **Organizations**: CBO, Investor, Verifier, Greenstand
+- **Auto-enrollment**: Configured for MSP and TLS certificates
+- **Storage**: 2Gi per CA instance
+
+## Management Scripts
+
+### Identity Management
+```bash
+# Enroll admin identity
+./enroll-admin.sh
+
+# Register new intermediate CA
+./register-identities.sh
+
+# Enroll intermediate CAs
+./enroll-ica.sh
+```
+
+### Secret Management
+```bash
+# Create all CA secrets
+./create-ca-secrets.sh
+
+# Backup CA data
+./backup-ca.sh
+
+# Restore CA data
+./restore-ca.sh
+```
+
+## Helm Charts
+
+### Root CA Chart
+- **Location**: `helm-charts/root-ca/`
+- **Purpose**: Deploys Root Certificate Authority
+- **Features**: TLS-enabled, persistent storage, custom CSR configuration
+
+### Intermediate CA Charts
+- **Locations**: `helm-charts/{org}-ca/`
+- **Purpose**: Deploy organization-specific CAs
+- **Features**: Parent CA integration, automatic enrollment, TLS configuration
+
+### CA Client Chart
+- **Location**: `helm-charts/fabric-ca-client/`
+- **Purpose**: Provides fabric-ca-client for enrollment operations
+- **Features**: Persistent client data, configuration management
+
+## Operations
+
+### Daily Operations
+```bash
+# Check CA pod status
+kubectl get pods -n hlf-ca
+
+# View CA logs
+kubectl logs -n hlf-ca -l app=root-ca
+
+# Check certificate expiry
+kubectl exec -n hlf-ca fabric-ca-client-0 -- \
+ fabric-ca-client certificate list --tls.certfiles /data/hyperledger/fabric-ca-client/root-ca/tls-cert.pem
+```
+
+### Backup Operations
+```bash
+# Create backup
+./scripts/backup-ca.sh
+
+# Verify backup contents
+tar -tzf fabric-ca-backup-*.tgz | head -20
+
+# Store backup securely (off-cluster)
+```
+
+### Certificate Renewal
+```bash
+# Check certificate expiry
+for ca in root-ca cbo-ca investor-ca verifier-ca; do
+ echo "Checking $ca certificate expiry..."
+ kubectl exec -n hlf-ca $ca-0 -- \
+ openssl x509 -in /etc/hyperledger/fabric-ca-server/ca-cert.pem -noout -enddate
+done
+
+# Renew certificates (if needed)
+# Follow certificate renewal runbook
+```
+
+## Security Considerations
+
+### Access Control
+- **RBAC**: Kubernetes RBAC limits CA access
+- **Network policies**: Restrict CA network access
+- **Secrets**: TLS certificates stored as Kubernetes secrets
+- **Encryption**: All CA communications use TLS
+
+### Certificate Management
+- **Root CA**: Highest security - air-gapped if possible
+- **Intermediate CAs**: Organization-isolated
+- **Key protection**: Private keys stored securely in persistent volumes
+- **Certificate rotation**: Regular certificate renewal procedures
+
+## Troubleshooting
+
+### Common Issues
+
+#### CA Pod Not Starting
+```bash
+# Check pod status and events
+kubectl describe pod -n hlf-ca root-ca-0
+
+# Check persistent volume claims
+kubectl get pvc -n hlf-ca
+
+# Verify TLS certificates
+kubectl get secret -n hlf-ca | grep tls
+```
+
+#### Enrollment Failures
+```bash
+# Check CA client connectivity
+kubectl exec -n hlf-ca fabric-ca-client-0 -- \
+ fabric-ca-client getcainfo -u https://root-ca.hlf-ca.svc.cluster.local:7054
+
+# Verify TLS certificate
+kubectl exec -n hlf-ca fabric-ca-client-0 -- \
+ ls -la /data/hyperledger/fabric-ca-client/root-ca/
+```
+
+#### Certificate Issues
+```bash
+# Validate certificate chain
+kubectl exec -n hlf-ca fabric-ca-client-0 -- \
+ openssl verify -CAfile /data/hyperledger/fabric-ca-client/root-ca/msp/cacerts/root-ca-hlf-ca-svc-cluster-local-7054.pem \
+ /data/hyperledger/fabric-ca-client/cbo-ca/msp/signcerts/cert.pem
+```
+
+## Integration
+
+### With Peer Networks
+- CAs provide certificates for peer MSP and TLS
+- Certificate secrets automatically created for peer deployments
+- Integration with certificate monitoring system
+
+### With Certificate Monitoring
+- CA certificates monitored for expiry
+- Automated alerts for CA certificate issues
+- Health metrics exported to Prometheus
+
+### With CI/CD Pipeline
+- CA validation in deployment pipeline
+- Automated certificate checks
+- Integration with Jenkins/GitHub Actions
+
+## Maintenance
+
+### Regular Tasks
+- **Weekly**: Check CA pod health and logs
+- **Monthly**: Review certificate expiry dates
+- **Quarterly**: Perform CA backup
+- **Annually**: Plan certificate renewal cycle
+
+### Emergency Procedures
+- **CA failure**: Restore from backup using restore-ca.sh
+- **Certificate expiry**: Emergency certificate renewal
+- **Security breach**: Revoke compromised certificates
+
+This CA infrastructure provides a robust foundation for certificate management in your Hyperledger Fabric network with comprehensive automation, monitoring, and operational procedures.
diff --git a/hyperledger-fabric-network/ca/helm-charts/fabric-ca-client/fabric-ca-client-config.yaml b/hyperledger-fabric-network/ca/helm-charts/fabric-ca-client/fabric-ca-client-config.yaml
new file mode 100644
index 0000000..bf362c4
--- /dev/null
+++ b/hyperledger-fabric-network/ca/helm-charts/fabric-ca-client/fabric-ca-client-config.yaml
@@ -0,0 +1,176 @@
+
+#############################################################################
+# This is a configuration file for the fabric-ca-client command.
+#
+# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
+# ------------------------------------------------
+# Each configuration element can be overridden via command line
+# arguments or environment variables. The precedence for determining
+# the value of each element is as follows:
+# 1) command line argument
+# Examples:
+# a) --url https://localhost:7054
+# To set the fabric-ca server url
+# b) --tls.client.certfile certfile.pem
+# To set the client certificate for TLS
+# 2) environment variable
+# Examples:
+# a) FABRIC_CA_CLIENT_URL=https://localhost:7054
+# To set the fabric-ca server url
+# b) FABRIC_CA_CLIENT_TLS_CLIENT_CERTFILE=certfile.pem
+# To set the client certificate for TLS
+# 3) configuration file
+# 4) default value (if there is one)
+# All default values are shown beside each element below.
+#
+# FILE NAME ELEMENTS
+# ------------------
+# The value of all fields whose name ends with "file" or "files" are
+# name or names of other files.
+# For example, see "tls.certfiles" and "tls.client.certfile".
+# The value of each of these fields can be a simple filename, a
+# relative path, or an absolute path. If the value is not an
+# absolute path, it is interpreted as being relative to the location
+# of this configuration file.
+#
+#############################################################################
+
+#############################################################################
+# Client Configuration
+#############################################################################
+
+# URL of the Fabric-ca-server (default: http://localhost:7054)
+url: https://verifier-ca.hlf-ca.svc.cluster.local:7054
+
+# Membership Service Provider (MSP) directory
+# This is useful when the client is used to enroll a peer or orderer, so
+# that the enrollment artifacts are stored in the format expected by MSP.
+mspdir: /etc/hyperledger/fabric-ca-client/peer0.verifier/msp
+
+#############################################################################
+# TLS section for secure socket connection
+#
+# certfiles - PEM-encoded list of trusted root certificate files
+# client:
+# certfile - PEM-encoded certificate file for when client authentication
+# is enabled on server
+# keyfile - PEM-encoded key file for when client authentication
+# is enabled on server
+#############################################################################
+tls:
+ # TLS section for secure socket connection
+ certfiles:
+ client:
+ certfile:
+ keyfile:
+
+#############################################################################
+# Certificate Signing Request section for generating the CSR for an
+# enrollment certificate (ECert)
+#
+# cn - Used by CAs to determine which domain the certificate is to be generated for
+#
+# keyrequest - Properties to use when generating a private key.
+# algo - key generation algorithm to use
+# size - size of key to generate
+# reusekey - reuse existing key during reenrollment
+#
+# serialnumber - The serialnumber field, if specified, becomes part of the issued
+# certificate's DN (Distinguished Name). For example, one use case for this is
+# a company with its own CA (Certificate Authority) which issues certificates
+# to its employees and wants to include the employee's serial number in the DN
+# of its issued certificates.
+# WARNING: The serialnumber field should not be confused with the certificate's
+# serial number which is set by the CA but is not a component of the
+# certificate's DN.
+#
+# names - A list of name objects. Each name object should contain at least one
+# "C", "L", "O", or "ST" value (or any combination of these) where these
+# are abbreviations for the following:
+# "C": country
+# "L": locality or municipality (such as city or town name)
+# "O": organization
+# "OU": organizational unit, such as the department responsible for owning the key;
+# it can also be used for a "Doing Business As" (DBS) name
+# "ST": the state or province
+#
+# Note that the "OU" or organizational units of an ECert are always set according
+# to the values of the identities type and affiliation. OUs are calculated for an enroll
+# as OU=🌳 Blockchain-based Tree Tracking Network 🌳
+A production-ready Hyperledger Fabric network for transparent tree planting and carbon offset tracking
+