fabric-ca服务构建及证书生成
前言:
1、为了保证在网络通信过程中信息的安全性,fabric可以设置tls网络通信模式,这就需要我们来生成相关的数字签名证书。关于tls通信需要数字证书的原因以及通信过程,见tls安全网络传输
2、之前fabric的相关证书是我们手动用cryptogen命令来生成的,但是在实际的应用场景中,如果新增用户,这种方式肯定是不行的,我们需要用fabric-ca的方式来生成相关证书。
一、fabric-ca服务的启动
1、fabric-ca镜像
在这里,我们使用docker的方式来启动fabric-ca服务,在启动之前,我们需要下载相关的镜像。
我们直接下载hyperledger/fabric-ca:latest镜像,如下图所示:
docker pull hyperledger/fabric-ca:latest
2、docker-compose.yaml
我们这里启动三个CA服务,分别作为Org1,Org2,Orderer的CA,三个CA服务相互独立。编写docker-compose.yaml文件
docker-compose-orderer.yaml
fabric-ca-server-orderer:image: hyperledger/fabric-ca:latestcontainer_name: fabric-ca-server-ordererports:- "9054:9054"environment:- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server- FABRIC_CA_SERVER_PORT=9054- FABRIC_CA_SERVER_CA_NAME=ca-orderer- COMPOSE_PROJECT_NAME=ca-orderervolumes:- "./fabric-ca-server-orderer:/etc/hyperledger/fabric-ca-server"command: sh -c 'fabric-ca-server start -b admin:adminpw'
docker-compose-org1.yaml
fabric-ca-server-org1:image: hyperledger/fabric-ca:latestcontainer_name: fabric-ca-server-org1ports:- "7054:7054"environment:- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server- FABRIC_CA_SERVER_PORT=7054- FABRIC_CA_SERVER_CA_NAME=ca-org1- COMPOSE_PROJECT_NAME=ca-org1volumes:- "./fabric-ca-server-org1:/etc/hyperledger/fabric-ca-server"command: sh -c 'fabric-ca-server start -b admin:adminpw'
docker-compose-org2.yaml
fabric-ca-server-org2:image: hyperledger/fabric-ca:latestcontainer_name: fabric-ca-server-org2ports:- "8054:8054"environment:- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server- FABRIC_CA_SERVER_PORT=8054- FABRIC_CA_SERVER_CA_NAME=ca-org2- COMPOSE_PROJECT_NAME=ca-org2volumes:- "./fabric-ca-server-org2:/etc/hyperledger/fabric-ca-server"command: sh -c 'fabric-ca-server start -b admin:adminpw'
3、启动容器
docker-compose -f docker-compose-orderer.yml up -d
docker-compose -f docker-compose-org1.yml up -d
docker-compose -f docker-compose-org2.yml up -d
fabric-ca启动成功之后,在当前文件夹下会生成fabric-ca-server-org1,fabric-ca-server-org2,fabric-ca-server-orderer三个文件夹,里面分别存放的是org1-CA,org2-CA,orderer-CA的根证书(ca-cert.pem)和私钥(ff6a43faf30fefb3ddd47033e34318b93d580513eebc2bf0ca464f07f4ca01f4_sk),目录结构如下:
二、生成证书
1、编译fabric-ca-client
为了生成证书,我们需要fabric-ca-client命令。 我这边是手动进行编译的,下载fabric-ca源码,使用master分支即可。
(1)、注意事项:
由于是第一次使用golang语言开发的项目,发现hyperleger-fabric这个项目必须放在一个固定的目录,该项目必须放在golang的src/github.com/hyperledger目录下,同理,fabric-ca这个项目也必须放在这个目录下,否则编译将报错找不到相关的代码。
如下,我的golang的安装目录是:/home/zachen2/golang/go
在golang的目录下有一个src目录,我们必须手动创建目录:src/github.com/hyperledger
然后将fabric-ca的源码下载到src/github.com/hyperledger这个目录下,如下图所示:
(2)、编译
进入到fabric-ca目录,直接使用make fabric-ca-client命令进行编译。
编译完成后,会在fabric-ca的bin目录下生成fabric-ca-client命令,如下图所示:
2、证书生成
- 作者的fabric网络节点架构如下:
组织1:一个peer节点,一个Admin,一个User
组织2:一个peer节点,一个Admin,一个User
orderer:三个orderer节点,一个Admin
- 生成证书的命令如下:
#!/bin/bashexport FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/./fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 --caname ca-org1echo 'NodeOUs:Enable: trueClientOUIdentifier:Certificate: cacerts/localhost-7054-ca-org1.pemOrganizationalUnitIdentifier: clientPeerOUIdentifier:Certificate: cacerts/localhost-7054-ca-org1.pemOrganizationalUnitIdentifier: peerAdminOUIdentifier:Certificate: cacerts/localhost-7054-ca-org1.pemOrganizationalUnitIdentifier: adminOrdererOUIdentifier:Certificate: cacerts/localhost-7054-ca-org1.pemOrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml#组织1 peer0的msp证书 ./fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"'./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts aa,peer0.org1.example.comcp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts aa,peer0.org1.example.comcp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.keymkdir ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crtmkdir ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pemmkdir ${PWD}/organizations/peerOrganizations/org1.example.com/ca cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem#组织1 user的证书 ./fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"'./fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp ./fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls --enrollment.profile tlscp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/client.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/client.keycp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/config.yaml#组织1 admin的证书 ./fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls --enrollment.profile tls cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.keycp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/./fabric-ca-client enroll -u http://admin:adminpw@localhost:8054 --caname ca-org2echo 'NodeOUs:Enable: trueClientOUIdentifier:Certificate: cacerts/localhost-8054-ca-org2.pemOrganizationalUnitIdentifier: clientPeerOUIdentifier:Certificate: cacerts/localhost-8054-ca-org2.pemOrganizationalUnitIdentifier: peerAdminOUIdentifier:Certificate: cacerts/localhost-8054-ca-org2.pemOrganizationalUnitIdentifier: adminOrdererOUIdentifier:Certificate: cacerts/localhost-8054-ca-org2.pemOrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml#组织2 peer0的msp证书 ./fabric-ca-client register --caname ca-org2 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"'./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --csr.hosts aa,peer0.org2.example.comcp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls --enrollment.profile tls --csr.hosts aa,peer0.org2.example.comcp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.keymkdir ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/ca.crtmkdir ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pemmkdir ${PWD}/organizations/peerOrganizations/org2.example.com/ca cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem#组织2 user的证书 ./fabric-ca-client register --caname ca-org2 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"'./fabric-ca-client enroll -u http://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp ./fabric-ca-client enroll -u http://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls --enrollment.profile tls cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/client.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/client.keycp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp/config.yaml#组织2 admin的证书 ./fabric-ca-client register --caname ca-org2 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls --enrollment.profile tls cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/client.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/client.keycp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com./fabric-ca-client enroll -u http://admin:adminpw@localhost:9054 --caname ca-ordererecho 'NodeOUs:Enable: trueClientOUIdentifier:Certificate: cacerts/localhost-9054-ca-orderer.pemOrganizationalUnitIdentifier: clientPeerOUIdentifier:Certificate: cacerts/localhost-9054-ca-orderer.pemOrganizationalUnitIdentifier: peerAdminOUIdentifier:Certificate: cacerts/localhost-9054-ca-orderer.pemOrganizationalUnitIdentifier: adminOrdererOUIdentifier:Certificate: cacerts/localhost-9054-ca-orderer.pemOrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml #orderer的证书 ./fabric-ca-client register --caname ca-orderer --id.name orderer --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'./fabric-ca-client enroll -u http://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp --csr.hosts aa,orderer.example.comcp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/config.yaml./fabric-ca-client enroll -u http://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer.example.comcp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.keymkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pemmkdir ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts/ca.crt#orderer2的证书 ./fabric-ca-client register --caname ca-orderer --id.name orderer2 --id.secret orderer2pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'./fabric-ca-client enroll -u http://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp --csr.hosts aa,orderer2.example.comcp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/config.yaml./fabric-ca-client enroll -u http://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer2.example.comcp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.keymkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts/tlsca.example.com-cert.pem#orderer3的证书 ./fabric-ca-client register --caname ca-orderer --id.name orderer3 --id.secret orderer3pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'./fabric-ca-client enroll -u http://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp --csr.hosts aa,orderer3.example.com cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/config.yaml./fabric-ca-client enroll -u http://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer3.example.com cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.keymkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts/tlsca.example.com-cert.pem#orderer admin的证书 ./fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'./fabric-ca-client enroll -u http://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp/config.yaml./fabric-ca-client enroll -u http://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls --enrollment.profile tls cp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/ca.crtcp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/client.crtcp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/client.key
3、遇到的问题
(1)、关于--csr.hosts参数的问题
这个参数,我在网上查了一下,会生成到证书的X509v3 Subject Alternative Name中去,这个Subject Alternative Name的作用是说明了这张证书支持的域名,一个数字证书可以支持多个域名。
在上面生成证书命令中,我把--csr.hosts的第一个域名都设置成了aa,原因是:
1、如果我设置一个对应的域名(比如orderer.example.com),这个域名会被我电脑的主机名给覆盖掉(暂时不知道原因),导致Subject Alternative Name中的域名不正确。
2、如果我把--csr.hosts设置成aa,orderer.example.com,那么他只会覆盖第一个域名aa,后面的域名orderer.example.com会正确保留下来,如下图:
反解证书的命令:openssl x509 --in server.crt -text
图中红框里的就是Subject Alternative Name,可以看到并没有aa这个域名,是被zachen2-VirtualBox(我utuntu机器的主机名)给覆盖掉了。
所以为了避免这个问题,我给所有的--csr.hosts的都加了一个aa的域名,防止我想要的域名给覆盖掉。
(2)、上面生成证书的命令中,有很多是cp数据拷贝的命令,这些是必不可少的,不能省略。尤其是config.yaml文件的生成和拷贝过程是不可缺少的,不然在后面生成genesis.block的过程中会报错。
fabric-ca服务构建及证书生成相关推荐
- 针对由 CA 进行签名的证书生成新的专用密钥和 CSR
针对由 CA 进行签名的证书生成新的专用密钥和 CSR 对于由认证中心 (CA) 进行签名的证书,服务器随附了专用密钥以及已签名的证书.您可以针对由 CA 进行签名的证书生成新的专用密钥和证书签名请求 ...
- Hyperledger Fabric 1.0 快速搭建 -------- 多机部署 Fabric CA节点服务
前言 在这里我推荐两位大神的博客,可以参考或者直接跟着这两位大神学习,我是阅读这两位大神的博客和<深度探索区块链Hyperledger技术与应用>一书部署的 <深度探索区块链Hype ...
- OpenSSL命令大全,CA证书生成,客户端证书生成实例
1.X509证书链 x509证书一般会用到三类文件,key,csr,crt. Key是私用密钥,openssl格式,通常是rsa算法. csr是证书请求文件,用于申请证书.在制作csr文件的时候,必须 ...
- Fabric ca学习笔记
一.为什么要有fabric-ca 1.1 Fabric账号 1.1.1 为什么要有Fabric账号 不同于传统的账号体系(由账号和密码两个属性组成,账号和密码只是获取操作权限的工具) 区块链系统的一个 ...
- Fabric CA/数字证书管理
MSP(Membership Service Provider)成员管理服务提供商 名词: 1.CSR(Cerificate Signing Request):证书签署请求文件 CSR里包含申请者的 ...
- http系列---OpenSSL生成根证书CA及签发子证书
文章目录 1. 前言 2. 修改OpenSSL的配置 3. 生成根证书 4. 用根证书签发server端证书 5. 用根证书签发client端证书 6. 导出证书 7. 附项目证书目录 1. 前言 系 ...
- OpenSSL生成根证书CA及签发子证书
转自:https://yq.aliyun.com/articles/40398 摘要: 系统:CentOS7 32位 目标:使用OpenSSL生成一个CA根证书,并用这个根证书颁发两个子证书serve ...
- 江南天安基于国产密码构建ChinaDRM证书分发云服务
1 引言 近年来,随着4K视频业务的发展及国内版权保护意识的提高,版权方和运营商的版权保护需求日益增长.为满足版权保护生态构建的需求,广电总局科技司于2016年9月批示成立ChinaDRM LAB,专 ...
- 用pfx证书java双向认证_把CA证书生成的crt的证书和pem的私钥转换成java能够使用的keystore和pcks12的证书,实现https双向认证...
最近在做一个https双向认证的工作,领导先让我实现,我之前写了一篇文章,把tomcat的生成证书和配置的实现写了出来. 现在领导给了我服务器的CA证书的客户端证书和私钥,服务端信任证书,分别是crt ...
最新文章
- Python 函数知识汇总
- html width字符数,HTML pre标签 width 属性
- 【计算机网络】网络层 : IPv4 地址 ( IP 地址分类 | 特殊 IP 地址 | 私有 IP 地址 | A 类、B 类、C 类 IP 地址网络号主机号数量 )★
- 深入理解分布式技术 - 分布式缓存实战_Hot Key 和Big Key的发现与治理
- lucene教程--全文检索技术详解
- k3s安装和卸载:轻量级K8S
- Redis安装及主从配置
- validation注解及自定义注解
- mysql死锁问题分析
- Qt中的ui文件是c语言文件吗,c-Qt-UI文件未在Visual Studio中更新
- LeetCode 21. 合并两个有序链表(单链表)
- awk工具的简单使用
- 计算机仿真电路实验感想,电路计算机仿真 实验报告.doc
- 网络之路——交换机基础篇
- rfc5766-turn-server NAT
- 贴片电容造成短路烧毁的原因分析
- python写一个网络测速脚本_网络测速工具——Speedtest
- strtolower()和strtoupper()中文乱码问题
- MOS管当开关控制时,为什么一般用PMOS做上管NMOS做下管?
- dubbo之SPI Wrapper分析