diff --git a/common/tools/cryptogen/main.go b/common/tools/cryptogen/main.go
index 206127ddac6..63d42fd2b13 100644
--- a/common/tools/cryptogen/main.go
+++ b/common/tools/cryptogen/main.go
@@ -49,6 +49,7 @@ type NodeTemplate struct {
 }
 
 type NodeSpec struct {
+	isAdmin            bool
 	Hostname           string   `yaml:"Hostname"`
 	CommonName         string   `yaml:"CommonName"`
 	Country            string   `yaml:"Country"`
@@ -546,6 +547,7 @@ func generatePeerOrg(baseDir string, orgSpec OrgSpec) {
 	}
 	// add an admin user
 	adminUser := NodeSpec{
+		isAdmin:    true,
 		CommonName: fmt.Sprintf("%s@%s", adminBaseName, orgName),
 	}
 
@@ -602,9 +604,13 @@ func generateNodes(baseDir string, nodes []NodeSpec, signCA *ca.CA, tlsCA *ca.CA
 	for _, node := range nodes {
 		nodeDir := filepath.Join(baseDir, node.CommonName)
 		if _, err := os.Stat(nodeDir); os.IsNotExist(err) {
-			err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA, nodeType, nodeOUs)
+			currentNodeType := nodeType
+			if node.isAdmin && nodeOUs {
+				currentNodeType = msp.ADMIN
+			}
+			err := msp.GenerateLocalMSP(nodeDir, node.CommonName, node.SANS, signCA, tlsCA, currentNodeType, nodeOUs)
 			if err != nil {
-				fmt.Printf("Error generating local MSP for %s:\n%v\n", node, err)
+				fmt.Printf("Error generating local MSP for %v:\n%v\n", node, err)
 				os.Exit(1)
 			}
 		}
diff --git a/integration/nwo/configtx_template.go b/integration/nwo/configtx_template.go
index b4a0daf37a3..187eef301fe 100644
--- a/integration/nwo/configtx_template.go
+++ b/integration/nwo/configtx_template.go
@@ -50,7 +50,7 @@ Organizations:{{ range .PeerOrgs }}
 
 Channel: &ChannelDefaults
   Capabilities:
-    V1_4_2: true
+    V1_4_3: true
   Policies:
     Readers:
       Type: ImplicitMeta
diff --git a/msp/configbuilder.go b/msp/configbuilder.go
index 78b2af73c3d..084b7f436f2 100644
--- a/msp/configbuilder.go
+++ b/msp/configbuilder.go
@@ -296,17 +296,14 @@ func getMspConfig(dir string, ID string, sigid *msp.SigningIdentityInfo) (*msp.M
 		// Prepare NodeOUs
 		if configuration.NodeOUs != nil && configuration.NodeOUs.Enable {
 			mspLogger.Debug("Loading NodeOUs")
-			if configuration.NodeOUs.ClientOUIdentifier == nil || len(configuration.NodeOUs.ClientOUIdentifier.OrganizationalUnitIdentifier) == 0 {
-				return nil, errors.New("Failed loading NodeOUs. ClientOU must be different from nil.")
+			nodeOUs = &msp.FabricNodeOUs{
+				Enable: true,
 			}
-			if configuration.NodeOUs.PeerOUIdentifier == nil || len(configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier) == 0 {
-				return nil, errors.New("Failed loading NodeOUs. PeerOU must be different from nil.")
+			if configuration.NodeOUs.ClientOUIdentifier != nil && len(configuration.NodeOUs.ClientOUIdentifier.OrganizationalUnitIdentifier) != 0 {
+				nodeOUs.ClientOuIdentifier = &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.ClientOUIdentifier.OrganizationalUnitIdentifier}
 			}
-
-			nodeOUs = &msp.FabricNodeOUs{
-				Enable:             configuration.NodeOUs.Enable,
-				ClientOuIdentifier: &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.ClientOUIdentifier.OrganizationalUnitIdentifier},
-				PeerOuIdentifier:   &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier},
+			if configuration.NodeOUs.PeerOUIdentifier != nil && len(configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier) != 0 {
+				nodeOUs.PeerOuIdentifier = &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier}
 			}
 			if configuration.NodeOUs.AdminOUIdentifier != nil && len(configuration.NodeOUs.AdminOUIdentifier.OrganizationalUnitIdentifier) != 0 {
 				nodeOUs.AdminOuIdentifier = &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.AdminOUIdentifier.OrganizationalUnitIdentifier}
@@ -318,9 +315,13 @@ func getMspConfig(dir string, ID string, sigid *msp.SigningIdentityInfo) (*msp.M
 			// Read certificates, if defined
 
 			// ClientOU
-			nodeOUs.ClientOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.ClientOUIdentifier.Certificate, "ClientOU")
+			if nodeOUs.ClientOuIdentifier != nil {
+				nodeOUs.ClientOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.ClientOUIdentifier.Certificate, "ClientOU")
+			}
 			// PeerOU
-			nodeOUs.PeerOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.PeerOUIdentifier.Certificate, "PeerOU")
+			if nodeOUs.PeerOuIdentifier != nil {
+				nodeOUs.PeerOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.PeerOUIdentifier.Certificate, "PeerOU")
+			}
 			// AdminOU
 			if nodeOUs.AdminOuIdentifier != nil {
 				nodeOUs.AdminOuIdentifier.Certificate = loadCertificateAt(dir, configuration.NodeOUs.AdminOUIdentifier.Certificate, "AdminOU")
diff --git a/msp/mspimpl.go b/msp/mspimpl.go
index ab20f6cae18..eda59dc2783 100644
--- a/msp/mspimpl.go
+++ b/msp/mspimpl.go
@@ -326,25 +326,29 @@ func (msp *bccspmsp) hasOURole(id Identity, mspRole m.MSPRole_MSPRoleType) error
 }
 
 func (msp *bccspmsp) hasOURoleInternal(id *identity, mspRole m.MSPRole_MSPRoleType) error {
-	var nodeOUValue string
+	var nodeOU *OUIdentifier
 	switch mspRole {
 	case m.MSPRole_CLIENT:
-		nodeOUValue = msp.clientOU.OrganizationalUnitIdentifier
+		nodeOU = msp.clientOU
 	case m.MSPRole_PEER:
-		nodeOUValue = msp.peerOU.OrganizationalUnitIdentifier
+		nodeOU = msp.peerOU
 	case m.MSPRole_ADMIN:
-		nodeOUValue = msp.adminOU.OrganizationalUnitIdentifier
+		nodeOU = msp.adminOU
 	case m.MSPRole_ORDERER:
-		if msp.ordererOU == nil {
-			return errors.New("cannot test for orderer ou classification, node ou for orderers not defined")
-		}
-		nodeOUValue = msp.ordererOU.OrganizationalUnitIdentifier
+		nodeOU = msp.ordererOU
 	default:
 		return errors.New("Invalid MSPRoleType. It must be CLIENT, PEER, ADMIN or ORDERER")
 	}
 
+	// Notice that, for versions prior to v1.4.3, hasOURoleInternal is invoked
+	// only to check that an identity is a client or a peer. The relative nodeOU are supposed to be different from nil.
+	// For version >= v1.4.3, any classification is optional.
+	if nodeOU == nil {
+		return errors.Errorf("cannot test for classification, node ou for type [%s], not defined, msp: [%s]", mspRole, msp.name)
+	}
+
 	for _, OU := range id.GetOrganizationalUnits() {
-		if OU.OrganizationalUnitIdentifier == nodeOUValue {
+		if OU.OrganizationalUnitIdentifier == nodeOU.OrganizationalUnitIdentifier {
 			return nil
 		}
 	}
diff --git a/msp/mspimplsetup.go b/msp/mspimplsetup.go
index 02bd0e09503..e34d00fc380 100644
--- a/msp/mspimplsetup.go
+++ b/msp/mspimplsetup.go
@@ -187,8 +187,8 @@ func (msp *bccspmsp) setupAdminsV143(conf *m.FabricMSPConfig) error {
 		return err
 	}
 
-	if len(msp.admins) == 0 && !msp.ouEnforcement {
-		return errors.New("administrators must be declared when no ou enforcement is set")
+	if len(msp.admins) == 0 && (!msp.ouEnforcement || msp.adminOU == nil) {
+		return errors.New("administrators must be declared when no admin ou classification is set")
 	}
 
 	return nil
@@ -252,6 +252,14 @@ func (msp *bccspmsp) setupNodeOUs(config *m.FabricMSPConfig) error {
 
 		msp.ouEnforcement = config.FabricNodeOus.Enable
 
+		if config.FabricNodeOus.ClientOuIdentifier == nil || len(config.FabricNodeOus.ClientOuIdentifier.OrganizationalUnitIdentifier) == 0 {
+			return errors.New("Failed setting up NodeOUs. ClientOU must be different from nil.")
+		}
+
+		if config.FabricNodeOus.PeerOuIdentifier == nil || len(config.FabricNodeOus.PeerOuIdentifier.OrganizationalUnitIdentifier) == 0 {
+			return errors.New("Failed setting up NodeOUs. PeerOU must be different from nil.")
+		}
+
 		// ClientOU
 		msp.clientOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.ClientOuIdentifier.OrganizationalUnitIdentifier}
 		if len(config.FabricNodeOus.ClientOuIdentifier.Certificate) != 0 {
@@ -280,26 +288,57 @@ func (msp *bccspmsp) setupNodeOUs(config *m.FabricMSPConfig) error {
 }
 
 func (msp *bccspmsp) setupNodeOUsV143(config *m.FabricMSPConfig) error {
-	if err := msp.setupNodeOUs(config); err != nil {
-		return err
-	}
-
 	if config.FabricNodeOus == nil {
+		msp.ouEnforcement = false
 		return nil
 	}
 
-	// AdminOU
-	if config.FabricNodeOus.AdminOuIdentifier == nil {
-		return errors.New("invalid admin ou configuration, nil.")
+	msp.ouEnforcement = config.FabricNodeOus.Enable
+
+	counter := 0
+	// ClientOU
+	if config.FabricNodeOus.ClientOuIdentifier != nil {
+		msp.clientOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.ClientOuIdentifier.OrganizationalUnitIdentifier}
+		if len(config.FabricNodeOus.ClientOuIdentifier.Certificate) != 0 {
+			certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.ClientOuIdentifier.Certificate)
+			if err != nil {
+				return err
+			}
+			msp.clientOU.CertifiersIdentifier = certifiersIdentifier
+		}
+		counter++
+	} else {
+		msp.clientOU = nil
 	}
 
-	msp.adminOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.AdminOuIdentifier.OrganizationalUnitIdentifier}
-	if len(config.FabricNodeOus.AdminOuIdentifier.Certificate) != 0 {
-		certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.AdminOuIdentifier.Certificate)
-		if err != nil {
-			return err
+	// PeerOU
+	if config.FabricNodeOus.PeerOuIdentifier != nil {
+		msp.peerOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.PeerOuIdentifier.OrganizationalUnitIdentifier}
+		if len(config.FabricNodeOus.PeerOuIdentifier.Certificate) != 0 {
+			certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.PeerOuIdentifier.Certificate)
+			if err != nil {
+				return err
+			}
+			msp.peerOU.CertifiersIdentifier = certifiersIdentifier
+		}
+		counter++
+	} else {
+		msp.peerOU = nil
+	}
+
+	// AdminOU
+	if config.FabricNodeOus.AdminOuIdentifier != nil {
+		msp.adminOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOus.AdminOuIdentifier.OrganizationalUnitIdentifier}
+		if len(config.FabricNodeOus.AdminOuIdentifier.Certificate) != 0 {
+			certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOus.AdminOuIdentifier.Certificate)
+			if err != nil {
+				return err
+			}
+			msp.adminOU.CertifiersIdentifier = certifiersIdentifier
 		}
-		msp.adminOU.CertifiersIdentifier = certifiersIdentifier
+		counter++
+	} else {
+		msp.adminOU = nil
 	}
 
 	// OrdererOU
@@ -312,10 +351,16 @@ func (msp *bccspmsp) setupNodeOUsV143(config *m.FabricMSPConfig) error {
 			}
 			msp.ordererOU.CertifiersIdentifier = certifiersIdentifier
 		}
+		counter++
 	} else {
 		msp.ordererOU = nil
 	}
 
+	if counter == 0 {
+		// Disable NodeOU
+		msp.ouEnforcement = false
+	}
+
 	return nil
 }
 
@@ -614,8 +659,10 @@ func (msp *bccspmsp) postSetupV143(conf *m.FabricMSPConfig) error {
 
 	// Check that admins are clients or admins
 	for i, admin := range msp.admins {
-		if msp.hasOURole(admin, m.MSPRole_CLIENT) != nil && msp.hasOURole(admin, m.MSPRole_ADMIN) != nil {
-			return errors.Errorf("admin %d is invalid", i)
+		err1 := msp.hasOURole(admin, m.MSPRole_CLIENT)
+		err2 := msp.hasOURole(admin, m.MSPRole_ADMIN)
+		if err1 != nil && err2 != nil {
+			return errors.Errorf("admin %d is invalid [%s,%s]", i, err1, err2)
 		}
 	}
 
diff --git a/msp/mspimplvalidate.go b/msp/mspimplvalidate.go
index bbe04e80e9c..4706b687e51 100644
--- a/msp/mspimplvalidate.go
+++ b/msp/mspimplvalidate.go
@@ -220,9 +220,15 @@ func (msp *bccspmsp) validateIdentityOUsV143(id *identity) error {
 	// used to tell apart clients, peers and admins.
 	counter := 0
 	validOUs := make(map[string]*OUIdentifier)
-	validOUs[msp.clientOU.OrganizationalUnitIdentifier] = msp.clientOU
-	validOUs[msp.peerOU.OrganizationalUnitIdentifier] = msp.peerOU
-	validOUs[msp.adminOU.OrganizationalUnitIdentifier] = msp.adminOU
+	if msp.clientOU != nil {
+		validOUs[msp.clientOU.OrganizationalUnitIdentifier] = msp.clientOU
+	}
+	if msp.peerOU != nil {
+		validOUs[msp.peerOU.OrganizationalUnitIdentifier] = msp.peerOU
+	}
+	if msp.adminOU != nil {
+		validOUs[msp.adminOU.OrganizationalUnitIdentifier] = msp.adminOU
+	}
 	if msp.ordererOU != nil {
 		validOUs[msp.ordererOU.OrganizationalUnitIdentifier] = msp.ordererOU
 	}
diff --git a/msp/nodeous_test.go b/msp/nodeous_test.go
index e9408c25e62..63d19e18742 100644
--- a/msp/nodeous_test.go
+++ b/msp/nodeous_test.go
@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2017 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-		 http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 
 package msp
@@ -259,14 +249,14 @@ func TestSatisfiesPrincipalAdmin(t *testing.T) {
 	assert.NoError(t, err)
 }
 
-func TestLoad142MSPWithInvalidAdminConfiguration(t *testing.T) {
+func TestLoad143MSPWithInvalidAdminConfiguration(t *testing.T) {
 	// testdata/nodeouadmin2:
 	// the configuration enables NodeOUs (with adminOU) but no valid identifier for the AdminOU
-	getLocalMSPWithVersionErr(t, "testdata/nodeouadmin2", MSPv1_4_3, "invalid admin ou configuration, nil.")
+	getLocalMSPWithVersionErr(t, "testdata/nodeouadmin2", MSPv1_4_3, "administrators must be declared when no admin ou classification is set")
 
 	// testdata/nodeouadmin3:
 	// the configuration enables NodeOUs (with adminOU) but no valid identifier for the AdminOU
-	getLocalMSPWithVersionErr(t, "testdata/nodeouadmin3", MSPv1_4_3, "invalid admin ou configuration, nil.")
+	getLocalMSPWithVersionErr(t, "testdata/nodeouadmin3", MSPv1_4_3, "administrators must be declared when no admin ou classification is set")
 }
 
 func TestSatisfiesPrincipalOrderer(t *testing.T) {
@@ -287,7 +277,7 @@ func TestSatisfiesPrincipalOrderer(t *testing.T) {
 	assert.NoError(t, err)
 }
 
-func TestLoad142MSPWithInvalidOrdererConfiguration(t *testing.T) {
+func TestLoad143MSPWithInvalidOrdererConfiguration(t *testing.T) {
 	// testdata/nodeouorderer2:
 	// the configuration enables NodeOUs (with orderOU) but no valid identifier for the OrdererOU
 	thisMSP := getLocalMSPWithVersion(t, "testdata/nodeouorderer2", MSPv1_4_3)
@@ -304,7 +294,7 @@ func TestLoad142MSPWithInvalidOrdererConfiguration(t *testing.T) {
 		Principal:               principalBytes}
 	err = id.SatisfiesPrincipal(principal)
 	assert.Error(t, err)
-	assert.Equal(t, "The identity is not a [ORDERER] under this MSP [SampleOrg]: cannot test for orderer ou classification, node ou for orderers not defined", err.Error())
+	assert.Equal(t, "The identity is not a [ORDERER] under this MSP [SampleOrg]: cannot test for classification, node ou for type [ORDERER], not defined, msp: [SampleOrg]", err.Error())
 
 	// testdata/nodeouorderer3:
 	// the configuration enables NodeOUs (with orderOU) but no valid identifier for the OrdererOU
@@ -322,5 +312,26 @@ func TestLoad142MSPWithInvalidOrdererConfiguration(t *testing.T) {
 		Principal:               principalBytes}
 	err = id.SatisfiesPrincipal(principal)
 	assert.Error(t, err)
-	assert.Equal(t, "The identity is not a [ORDERER] under this MSP [SampleOrg]: cannot test for orderer ou classification, node ou for orderers not defined", err.Error())
+	assert.Equal(t, "The identity is not a [ORDERER] under this MSP [SampleOrg]: cannot test for classification, node ou for type [ORDERER], not defined, msp: [SampleOrg]", err.Error())
+}
+
+func TestValidMSPWithNodeOUMissingClassification(t *testing.T) {
+	// testdata/nodeousbadconf1:
+	// the configuration enables NodeOUs but client ou identifier is missing
+	_, err := getLocalMSPWithVersionAndError(t, "testdata/nodeousbadconf1", MSPv1_3)
+	assert.Error(t, err)
+	assert.Equal(t, "Failed setting up NodeOUs. ClientOU must be different from nil.", err.Error())
+
+	_, err = getLocalMSPWithVersionAndError(t, "testdata/nodeousbadconf1", MSPv1_4_3)
+	assert.Error(t, err)
+	assert.Equal(t, "admin 0 is invalid [cannot test for classification, node ou for type [CLIENT], not defined, msp: [SampleOrg],The identity does not contain OU [ADMIN], MSP: [SampleOrg]]", err.Error())
+
+	// testdata/nodeousbadconf2:
+	// the configuration enables NodeOUs but peer ou identifier is missing
+	_, err = getLocalMSPWithVersionAndError(t, "testdata/nodeousbadconf2", MSPv1_3)
+	assert.Error(t, err)
+	assert.Equal(t, "Failed setting up NodeOUs. PeerOU must be different from nil.", err.Error())
+
+	_, err = getLocalMSPWithVersionAndError(t, "testdata/nodeousbadconf2", MSPv1_4_3)
+	assert.NoError(t, err)
 }
diff --git a/msp/testdata/nodeousbadconf1/admincerts/Admin@example.com-cert.pem b/msp/testdata/nodeousbadconf1/admincerts/Admin@example.com-cert.pem
new file mode 100644
index 00000000000..d4a90794c91
--- /dev/null
+++ b/msp/testdata/nodeousbadconf1/admincerts/Admin@example.com-cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAcKgAwIBAgIRAN5DkOBs583C+swyjC7nHS0wCgYIKoZIzj0EAwIwaTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRcwFQYDVQQDEw5jYS5leGFt
+cGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGcxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMQ8wDQYDVQQLEwZjbGllbnQxGjAYBgNVBAMMEUFkbWluQGV4YW1wbGUuY29t
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3H+SsKIPqOTCn2YBHDYTkgsvYtr0
+6Kz3mEp4jfNmRt0Mz/Sjyg+E3AUjBah/Qj6WBqVYhmJeFsMoNvk8OhdHg6NNMEsw
+DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAg3+GALQue
+CGamN/C2yq8S+ET/YsjAltoJS2hjlwUXxZ8wCgYIKoZIzj0EAwIDRwAwRAIgXvE1
+Dsw0Vd2Tz+mxCfyf62lzQ8IN2BE4qsEQNgcsL94CIH26gcvFF7u0j+FVkjA4Awuq
+10yaq8RzytoLpOz4SDkw
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeousbadconf1/cacerts/ca.example.com-cert.pem b/msp/testdata/nodeousbadconf1/cacerts/ca.example.com-cert.pem
new file mode 100644
index 00000000000..932a013b439
--- /dev/null
+++ b/msp/testdata/nodeousbadconf1/cacerts/ca.example.com-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICPzCCAeSgAwIBAgIRAONi5v8ImyejqCrCatbAW1QwCgYIKoZIzj0EAwIwaTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRcwFQYDVQQDEw5jYS5leGFt
+cGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5j
+b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQAfjOlLCdB/6SsdPlbDHUsdK+b
+gRuEN38QOFZ0Ws3aFAsER8ImqV3UIlsbKi5JnDs+OQnzrr3hrKA8downRRy/o20w
+azAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIN/hgC0LnghmpjfwtsqvEvhE/2LI
+wJbaCUtoY5cFF8WfMAoGCCqGSM49BAMCA0kAMEYCIQDhhgAHx0l7V5uAG2hATgCs
+bvsbHiJpHUtiK7f1Qfxf2AIhANeukSgRU+AeGSzyVmAOKhIUS+grsPyspksUwVvB
+ehXv
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeousbadconf1/config.yaml b/msp/testdata/nodeousbadconf1/config.yaml
new file mode 100644
index 00000000000..fd968b098ef
--- /dev/null
+++ b/msp/testdata/nodeousbadconf1/config.yaml
@@ -0,0 +1,14 @@
+NodeOUs:
+  Enable: true
+  ClientOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier:
+  PeerOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: peer
+  AdminOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: admin
+  OrdererOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: orderer
diff --git a/msp/testdata/nodeousbadconf1/keystore/priv_sk b/msp/testdata/nodeousbadconf1/keystore/priv_sk
new file mode 100644
index 00000000000..c5ddc42760f
--- /dev/null
+++ b/msp/testdata/nodeousbadconf1/keystore/priv_sk
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg3XkpMssR+HPUfA+C
+SvrEalkm9qz1RvDZzWpeJZJgzHuhRANCAATttnug4BR0dA3fL8XFWdcAz2KBYXNu
+o1ZoZtYoXuTBQmIAp9gzE3n4WZlx1Q20auf3LyheORimUmRokuMkzDBd
+-----END PRIVATE KEY-----
diff --git a/msp/testdata/nodeousbadconf1/signcerts/orderer.example.com-cert.pem b/msp/testdata/nodeousbadconf1/signcerts/orderer.example.com-cert.pem
new file mode 100644
index 00000000000..6655403f305
--- /dev/null
+++ b/msp/testdata/nodeousbadconf1/signcerts/orderer.example.com-cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHjCCAcSgAwIBAgIQSEQ9WMdyikoUBDZC1SCNYjAKBggqhkjOPQQDAjBpMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
+YW5jaXNjbzEUMBIGA1UEChMLZXhhbXBsZS5jb20xFzAVBgNVBAMTDmNhLmV4YW1w
+bGUuY29tMB4XDTE5MDcwNDE2MjcwMFoXDTI5MDcwMTE2MjcwMFowajELMAkGA1UE
+BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lz
+Y28xEDAOBgNVBAsTB29yZGVyZXIxHDAaBgNVBAMTE29yZGVyZXIuZXhhbXBsZS5j
+b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATttnug4BR0dA3fL8XFWdcAz2KB
+YXNuo1ZoZtYoXuTBQmIAp9gzE3n4WZlx1Q20auf3LyheORimUmRokuMkzDBdo00w
+SzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADArBgNVHSMEJDAigCDf4YAt
+C54IZqY38LbKrxL4RP9iyMCW2glLaGOXBRfFnzAKBggqhkjOPQQDAgNIADBFAiEA
+6moSx8Ny5hOtKgR5ixwMclqefiFDW5p1OQ1mOakYe3MCIGuqooZlekXL/xCVpuNZ
+V4ODyvgvMEgQBg7lpg7RapWZ
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeousbadconf1/tlscacerts/tlsca.example.com-cert.pem b/msp/testdata/nodeousbadconf1/tlscacerts/tlsca.example.com-cert.pem
new file mode 100644
index 00000000000..5a7c4e639e4
--- /dev/null
+++ b/msp/testdata/nodeousbadconf1/tlscacerts/tlsca.example.com-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRTCCAeqgAwIBAgIRAJCUl0CdwlkfiNTXt/gxVlgwCgYIKoZIzj0EAwIwbDEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRowGAYDVQQDExF0bHNjYS5l
+eGFtcGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGwxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEaMBgGA1UEAxMRdGxzY2EuZXhh
+bXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASiqvojiDlos4TH6hOh
+2Sg16UMVs4xG/s6M0MxICfAJSkwD3PRwKOinv8wD7OT7FxevPa6THKZONsXJwhWR
+Lbero20wazAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIEcM31EymEUj64aNdHFZ
+0OCICQC3vXXeGLXrrc28liw6MAoGCCqGSM49BAMCA0kAMEYCIQCgfmcPMxf8ojnD
+UbfnxXFHHHqAQ03X+bISVaKVtpcqjwIhAOwrN+SL40ORnkRgKBzyL8SzyiDXwqf0
+RqgngKsp/XOT
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeousbadconf2/admincerts/Admin@example.com-cert.pem b/msp/testdata/nodeousbadconf2/admincerts/Admin@example.com-cert.pem
new file mode 100644
index 00000000000..d4a90794c91
--- /dev/null
+++ b/msp/testdata/nodeousbadconf2/admincerts/Admin@example.com-cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAcKgAwIBAgIRAN5DkOBs583C+swyjC7nHS0wCgYIKoZIzj0EAwIwaTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRcwFQYDVQQDEw5jYS5leGFt
+cGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGcxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMQ8wDQYDVQQLEwZjbGllbnQxGjAYBgNVBAMMEUFkbWluQGV4YW1wbGUuY29t
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3H+SsKIPqOTCn2YBHDYTkgsvYtr0
+6Kz3mEp4jfNmRt0Mz/Sjyg+E3AUjBah/Qj6WBqVYhmJeFsMoNvk8OhdHg6NNMEsw
+DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAg3+GALQue
+CGamN/C2yq8S+ET/YsjAltoJS2hjlwUXxZ8wCgYIKoZIzj0EAwIDRwAwRAIgXvE1
+Dsw0Vd2Tz+mxCfyf62lzQ8IN2BE4qsEQNgcsL94CIH26gcvFF7u0j+FVkjA4Awuq
+10yaq8RzytoLpOz4SDkw
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeousbadconf2/cacerts/ca.example.com-cert.pem b/msp/testdata/nodeousbadconf2/cacerts/ca.example.com-cert.pem
new file mode 100644
index 00000000000..932a013b439
--- /dev/null
+++ b/msp/testdata/nodeousbadconf2/cacerts/ca.example.com-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICPzCCAeSgAwIBAgIRAONi5v8ImyejqCrCatbAW1QwCgYIKoZIzj0EAwIwaTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRcwFQYDVQQDEw5jYS5leGFt
+cGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5j
+b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQAfjOlLCdB/6SsdPlbDHUsdK+b
+gRuEN38QOFZ0Ws3aFAsER8ImqV3UIlsbKi5JnDs+OQnzrr3hrKA8downRRy/o20w
+azAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIN/hgC0LnghmpjfwtsqvEvhE/2LI
+wJbaCUtoY5cFF8WfMAoGCCqGSM49BAMCA0kAMEYCIQDhhgAHx0l7V5uAG2hATgCs
+bvsbHiJpHUtiK7f1Qfxf2AIhANeukSgRU+AeGSzyVmAOKhIUS+grsPyspksUwVvB
+ehXv
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeousbadconf2/config.yaml b/msp/testdata/nodeousbadconf2/config.yaml
new file mode 100644
index 00000000000..0475bee9d5e
--- /dev/null
+++ b/msp/testdata/nodeousbadconf2/config.yaml
@@ -0,0 +1,14 @@
+NodeOUs:
+  Enable: true
+  ClientOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: client
+  PeerOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier:
+  AdminOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: admin
+  OrdererOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: orderer
diff --git a/msp/testdata/nodeousbadconf2/keystore/priv_sk b/msp/testdata/nodeousbadconf2/keystore/priv_sk
new file mode 100644
index 00000000000..c5ddc42760f
--- /dev/null
+++ b/msp/testdata/nodeousbadconf2/keystore/priv_sk
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg3XkpMssR+HPUfA+C
+SvrEalkm9qz1RvDZzWpeJZJgzHuhRANCAATttnug4BR0dA3fL8XFWdcAz2KBYXNu
+o1ZoZtYoXuTBQmIAp9gzE3n4WZlx1Q20auf3LyheORimUmRokuMkzDBd
+-----END PRIVATE KEY-----
diff --git a/msp/testdata/nodeousbadconf2/signcerts/orderer.example.com-cert.pem b/msp/testdata/nodeousbadconf2/signcerts/orderer.example.com-cert.pem
new file mode 100644
index 00000000000..6655403f305
--- /dev/null
+++ b/msp/testdata/nodeousbadconf2/signcerts/orderer.example.com-cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHjCCAcSgAwIBAgIQSEQ9WMdyikoUBDZC1SCNYjAKBggqhkjOPQQDAjBpMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
+YW5jaXNjbzEUMBIGA1UEChMLZXhhbXBsZS5jb20xFzAVBgNVBAMTDmNhLmV4YW1w
+bGUuY29tMB4XDTE5MDcwNDE2MjcwMFoXDTI5MDcwMTE2MjcwMFowajELMAkGA1UE
+BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lz
+Y28xEDAOBgNVBAsTB29yZGVyZXIxHDAaBgNVBAMTE29yZGVyZXIuZXhhbXBsZS5j
+b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATttnug4BR0dA3fL8XFWdcAz2KB
+YXNuo1ZoZtYoXuTBQmIAp9gzE3n4WZlx1Q20auf3LyheORimUmRokuMkzDBdo00w
+SzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADArBgNVHSMEJDAigCDf4YAt
+C54IZqY38LbKrxL4RP9iyMCW2glLaGOXBRfFnzAKBggqhkjOPQQDAgNIADBFAiEA
+6moSx8Ny5hOtKgR5ixwMclqefiFDW5p1OQ1mOakYe3MCIGuqooZlekXL/xCVpuNZ
+V4ODyvgvMEgQBg7lpg7RapWZ
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeousbadconf2/tlscacerts/tlsca.example.com-cert.pem b/msp/testdata/nodeousbadconf2/tlscacerts/tlsca.example.com-cert.pem
new file mode 100644
index 00000000000..5a7c4e639e4
--- /dev/null
+++ b/msp/testdata/nodeousbadconf2/tlscacerts/tlsca.example.com-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRTCCAeqgAwIBAgIRAJCUl0CdwlkfiNTXt/gxVlgwCgYIKoZIzj0EAwIwbDEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRowGAYDVQQDExF0bHNjYS5l
+eGFtcGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGwxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEaMBgGA1UEAxMRdGxzY2EuZXhh
+bXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASiqvojiDlos4TH6hOh
+2Sg16UMVs4xG/s6M0MxICfAJSkwD3PRwKOinv8wD7OT7FxevPa6THKZONsXJwhWR
+Lbero20wazAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIEcM31EymEUj64aNdHFZ
+0OCICQC3vXXeGLXrrc28liw6MAoGCCqGSM49BAMCA0kAMEYCIQCgfmcPMxf8ojnD
+UbfnxXFHHHqAQ03X+bISVaKVtpcqjwIhAOwrN+SL40ORnkRgKBzyL8SzyiDXwqf0
+RqgngKsp/XOT
+-----END CERTIFICATE-----