Tearing Down What I Built

Summary

A story about architectural pride, certificate validation failures, and the moment I realized the elegant design I built was fundamentally wrong.

---

The Architecture I Loved

I was proud of that architecture.

Each organization with its own Certificate Authority. Clean separation. Beautiful isolation. Every org controlled its own identity, issuing certificates, managing keys, trusting only what it chose to trust.

It felt right. The kind of design you draw on a whiteboard and everyone nods approvingly. Decentralized trust. Independent governance. A federation of equals.

I had spent weeks building it. TLS CAs for each organization. Enrollment certificates from separate roots. A web of trust that mirrored the business model, autonomous partners, connected but independent.

It was elegant.

It was also wrong.

---

The First Cracks

The failures started small.

A peer wouldn't connect to an orderer. Certificate validation failed. I checked the chain, everything looked correct. The root CA was trusted. The intermediate signed properly. The leaf certificate was valid.

I reissued the certificates. It worked.

A week later, another failure. Different component, same error. Certificate validation. Chain incomplete. Trust anchor missing.

I patched it. Moved on.

Then the cross-organization calls started failing. Chaincode couldn't invoke chaincode. Peers couldn't gossip. The network that was supposed to be a federation was becoming a collection of islands that occasionally couldn't see each other.

The first crack in a foundation doesn't collapse the building.

It just tells you where to stop looking away.

---

The Pattern I Missed

I went back to the Hyperledger Fabric documentation. Not skimming this time. Reading.

Buried in the operations guide, almost as an aside:

"For TLS, it is recommended to use a single organizational CA or a shared TLS CA across organizations."

One sentence. No emphasis. No warning box. Just a quiet recommendation that contradicted everything I had built.

I kept reading.

The problem with per-organization TLS CAs isn't that they can't work. It's that every cross-organization connection requires explicit trust configuration. Every peer needs to trust every other org's TLS CA. Every orderer needs the full bundle. Every chaincode container needs the complete chain.

In theory, you configure this once. In practice, certificates rotate. CAs get renewed. One org updates their root, and suddenly half the network can't validate their connections.

My "elegant" architecture wasn't decentralized trust. It was distributed complexity.

---

The Sunk Cost

I stared at my infrastructure code. Hundreds of lines. Ansible playbooks for each organization's CA. Kubernetes secrets for each root certificate. Renewal scripts for each trust chain.

I had built something substantial. Something that worked, most of the time. Something I understood deeply because I had crafted every piece.

The question wasn't technical. It was emotional.

Do I keep patching what I built? Or do I tear it down and rebuild?

I knew the answer. I just didn't want to admit it.

---

The Decision

There's a moment in every project where you realize you've been solving the wrong problem.

I wasn't dealing with certificate issues. I was dealing with architectural debt. Every fix I applied was interest on a loan I took when I chose the wrong pattern.

The per-org CA design had felt right because it matched the business model. But TLS isn't about business relationships. TLS is about transport security. It doesn't care about organizational boundaries. It cares about one thing: can I verify that this certificate was issued by someone I trust?

The simplest answer to that question is: one issuer. One trust anchor. One source of truth for TLS identity.

I opened my editor and started deleting.

---

The Rebuild

The new architecture was almost embarrassingly simple.

One TLS CA. Shared across all organizations. PostgreSQL-backed for durability. Automated enrollment for every component.

No more trust bundle synchronization. No more cross-org certificate exchanges. No more "did you update your trust store?" debugging sessions.

Every peer, every orderer, every chaincode, they all trusted the same root. Certificate validation became trivial: is this cert signed by the TLS CA? Yes? We're done.

I wrote it as Infrastructure as Code. Terraform for the CA. Kubernetes manifests for the deployment. Automated scripts for certificate renewal. Everything reproducible. Everything version-controlled.

The rebuild took days. The original architecture had taken weeks.

That ratio told me everything.

---

What Got Deleted

git rm -r ansible/ca-org1/
git rm -r ansible/ca-org2/
git rm -r ansible/ca-org3/
git rm scripts/sync-trust-bundles.sh
git rm scripts/rotate-org-certificates.sh
git rm -r k8s/secrets/org-tls-roots/

Hundreds of lines. Hours of work. Documentation I had written with care.

The commit message was simple:

refactor: replace per-org TLS CAs with centralized TLS CA

The per-organization CA architecture created unnecessary complexity
for cross-org certificate validation. A single TLS CA simplifies
trust management without compromising security boundaries.

BREAKING CHANGE: All components must re-enroll with new TLS CA.

I didn't explain the weeks I had spent building what I was deleting. The commit didn't need my regret. It just needed to be correct.

---

What I Learned

1. Elegant design isn't always correct design.

The per-org CA architecture was conceptually beautiful. It matched the business model. It felt philosophically right. But engineering isn't philosophy. The right design is the one that works reliably, not the one that looks best on a whiteboard.

2. The hardest commits are deletions.

Adding code is easy. It feels like progress. Deleting code you built with care, that requires admitting you were wrong. But code you're proud of can still be code that shouldn't exist.

3. Sunk cost is the enemy of good architecture.

I kept patching because I had invested so much. But investment doesn't make something right. Every hour I spent fixing the wrong architecture was an hour I could have spent building the right one.

4. Simple often beats clever.

One TLS CA is boring. It doesn't demonstrate sophisticated understanding of distributed trust. It doesn't showcase architectural creativity. But it works. Every time. Without edge cases. Boring is underrated.

---

The Architecture I Needed

The network has been running on the centralized TLS CA for months now.

No certificate validation failures. No trust bundle synchronization. No debugging sessions that end with "did you update your root cert?"

The components connect. The handshakes complete. The transactions flow.

It's not elegant. It's not what I would draw on a whiteboard to impress someone. But it's correct.

And correct beats elegant every time.

---

Closing

I still have the old infrastructure code in a branch somewhere. Not because I'll ever use it, but because it reminds me of something important.

The architecture you're proud of isn't always the architecture that's right.

Sometimes the best thing you can do is look at something you built with care, acknowledge that you learned better, and delete it.

The hardest commits aren't the ones that add features.

They're the ones that delete something you built with care, because you learned better.

Pride in your work is good.

Pride that prevents you from fixing your work is dangerous.

---

Technical Notes

For anyone designing TLS architecture for Hyperledger Fabric or similar distributed systems:

If you're debugging certificate validation failures across organizations, ask yourself: is the architecture wrong, or is the implementation wrong? Sometimes the fix isn't in the certificates. It's in the design.