Activate members in an Azure Managed CCF resource

In this guide, you will learn how to activate the member(s) in an Azure Managed CCF (Managed CCF) resource. This tutorial builds on the Managed CCF resource created in the Quickstart: Create an Azure Managed CCF resource using the Azure portal tutorial.


Download the service identity

An Azure Managed CCF resource has a unique identity called the service identity. It is represented by a certificate and is created during the resource creation. Every individual node that is part of the Azure Managed CCF resource has its self-signed certificate, endorsed by the service identity, which establishes trust on it.

Customers are recommended to download the service identity certificate and use it to establish a TLS connection when interacting with the service. The following command downloads the certificate and saves it into service_cert.pem.

curl --silent | jq ' .ledgerTlsCertificate' | xargs echo -e > service_cert.pem

Activate Member(s)

When a member is added to a Managed CCF resource, they are in the accepted state. They cannot participate in governance until they are activated. To do so, the member must acknowledge that they are satisfied with the state of the service (for example, after auditing the current constitution and the nodes currently trusted).

  1. The member must update and retrieve the latest state digest. In doing so, the new member confirms that they are satisfied with the current state of the service.
curl -X POST --cacert service_cert.pem --key member0_privk.pem --cert member0_cert.pem --silent | jq > request.json
cat request.json
    "state_digest": <...>


When executing the commands on a Mac, replace date -Is with date +%FT%T%z.

  1. The member must sign the state digest using the ccf_cose_sign1 utility. This utility is installed along with the CCF Python package.
ccf_cose_sign1 --ccf-gov-msg-type ack --ccf-gov-msg-created_at `date -Is` --signing-key member0_privk.pem --signing-cert member0_cert.pem --content request.json | \
 curl --cacert service_cert.pem --data-binary @- -H "content-type: application/cose"
  1. After the command completes, the member is active and can participate in governance. The members can be viewed using the following command.
curl --cacert service_cert.pem | jq
  "710c4d7ce6a70a89137b39170cd5c48f94b4756a66e66b2242370111c1c47564": {
    "cert": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAX2gAwIBAgIQW20I1iR...l8Uv8rRce\n-----END CERTIFICATE-----",
    "member_data": {
      "is_operator": true,
      "owner": "Microsoft Azure"
    "public_encryption_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMI...n3QIDAQAB\n-----END PUBLIC KEY-----\n",
    "status": "Active"
  "f9ea379051e5292b538ff2a3dc97f1bb4d5046f12e2bdbf5b8e3acc4516f34e3": {
    "cert": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAUKgAwIBAgIURuSESLma...yyK1EHhxx\n-----END CERTIFICATE-----",
    "member_data": {
      "group": "",
      "identifier": "member0"
    "public_encryption_key": null,
    "status": "Active"

Next steps