fabric服务中间CA的开发流程
fabric 中间CA服务的实现
流程
- intermediate CA简单介绍
- 创一个根CA服务器容器 couter1
- 创建一个中间CA指向根CA
- init CA 配置文件,生成中间CA容器
- 开始注册登记等流程
- 验证测试
1. fabric-ca-server使用root CA和intermediate CA
- 启动根CA
fabric-ca-server start -b admin:adminpw -p 7054
假设根CA启动在端口7054.
- 启动中间CA
fabric-ca-server start -b admin:adminpw -p 7064 -u http://admin:adminpw@localhost:7054
假设中间CA启动在端口7064.参数-u表示启动的是一个中间CA,-u的值指定上级根CA的地址
- 查看根CA和中间CA所生成的配置文件
rootca
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
└── msp
└── keystore
└── 8bf83d802f3428e25e66c2131d4d09a428ed675b0bb5adf0b18757a03a653cbd_sk
immediateca
├── ca-cert.pem
├── ca-chain.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
└── msp
├── cacerts
├── keystore
│ └── 9c669833b37097ec194fe16b68bb7e9a1b30ae36aa34ed7e81483032681f2043_sk
└── signcerts
中间CA比根CA多了一个ca-chain.pem证书文件。我们打开文件intermediateca/ca-chain.pem看一下,其内容恰好包含两个证书(root CA和intermediate CA)内容,也就是证书链:
<content of intermediateca/ca-cert.pem>
<content of rootca/ca-cert.pem>
4 . 再看一下他们的验证关系
$ openssl verify -verbose -CAfile rootca/ca-cert.pem intermediateca/ca-cert.pem
immediateca/ca-cert.pem: OK
$ openssl verify -verbose -CAfile rootca/ca-cert.pem intermediateca/ca-chain.pem
immediateca/ca-chain.pem: OK
$ openssl verify -verbose -CAfile intermediateca/ca-chain.pem intermediateca/ca-cert.pem
intermediate/ca-cert.pem: OK
$ openssl verify -verbose -CAfile intermediateca/ca-cert.pem intermediateca/ca-chain.pem
immediateca/ca-chain.pem: C = US, ST = North Carolina, O = Hyperledger, OU = client, CN = admin
error 20 at 0 depth lookup:unable to get local issuer certificate
我们可以看到root节点的根证书,可以验证i