Establish trust on Azure confidential ledger

An Azure confidential ledger node executes on top of a Trusted Execution Environment(TEE), such as Intel SGX, which guarantees the confidentiality of the data while in process. The trustworthiness of the platform and the binaries running inside it is guaranteed through a remote attestation process. An Azure confidential ledger requires a node to present a quote before joining the network. The quote report data contains the cryptographic hash of the node's identity public key and the MRENCLAVE value. The node is allowed to join the network if the quote is found to be valid and the MRENCLAVE value is one of the allowed values in the auditable governance.


Verify node quote

Download the service identity

It is used to verify the identity of the node that the client is connected to and establish a secure communication channel with it. The following command downloads the service identity, formats it and saves it to service_cert.pem.

curl<ledgername> --silent | jq '.ledgerTlsCertificate' | xargs echo -e > service_cert.pem

Verify quote

The node quote can be downloaded from https://<ledgername> and verified by using the oeverify tool that ships with the Open Enclave SDK or with the script. It is installed with the CCF installation or the CCF Python package. For complete details about the script and the supported parameters, refer to

/opt/ccf_virtual/bin/ https://<ledgername> --cacert service_cert.pem

The script checks if the cryptographic hash of the node's identity public key (DER encoded) matches the SGX report data and that the MRENCLAVE value present in the quote is trusted. A list of trusted MRENCLAVE values in the network can be downloaded from the https://<ledgername> endpoint. An optional mrenclave parameter can be supplied to check if the node is running the trusted code. If supplied, the mreclave value in the quote must match it exactly.

Next steps