前言:
1、为了保证在网络通信过程中信息的安全性,fabric可以设置tls网络通信模式,这就需要我们来生成相关的数字签名证书。关于tls通信需要数字证书的原因以及通信过程,见tls安全网络传输
2、之前fabric的相关证书是我们手动用cryptogen命令来生成的,但是在实际的应用场景中,如果新增用户,这种方式肯定是不行的,我们需要用fabric-ca的方式来生成相关证书。
一、fabric-ca服务的启动
1、fabric-ca镜像
在这里,我们使用docker的方式来启动fabric-ca服务,在启动之前,我们需要下载相关的镜像。
我们直接下载hyperledger/fabric-ca:latest镜像,如下图所示:
docker pull hyperledger/fabric-ca:latest
2、docker-compose.yaml
我们这里启动三个CA服务,分别作为Org1,Org2,Orderer的CA,三个CA服务相互独立。编写docker-compose.yaml文件
docker-compose-orderer.yaml
fabric-ca-server-orderer:
image: hyperledger/fabric-ca:latest
container_name: fabric-ca-server-orderer
ports:
- "9054:9054"
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_PORT=9054
- FABRIC_CA_SERVER_CA_NAME=ca-orderer
- COMPOSE_PROJECT_NAME=ca-orderer
volumes:
- "./fabric-ca-server-orderer:/etc/hyperledger/fabric-ca-server"
command: sh -c 'fabric-ca-server start -b admin:adminpw'
docker-compose-org1.yaml
fabric-ca-server-org1:
image: hyperledger/fabric-ca:latest
container_name: fabric-ca-server-org1
ports:
- "7054:7054"
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- COMPOSE_PROJECT_NAME=ca-org1
volumes:
- "./fabric-ca-server-org1:/etc/hyperledger/fabric-ca-server"
command: sh -c 'fabric-ca-server start -b admin:adminpw'
docker-compose-org2.yaml
fabric-ca-server-org2:
image: hyperledger/fabric-ca:latest
container_name: fabric-ca-server-org2
ports:
- "8054:8054"
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_PORT=8054
- FABRIC_CA_SERVER_CA_NAME=ca-org2
- COMPOSE_PROJECT_NAME=ca-org2
volumes:
- "./fabric-ca-server-org2:/etc/hyperledger/fabric-ca-server"
command: sh -c 'fabric-ca-server start -b admin:adminpw'
3、启动容器
docker-compose -f docker-compose-orderer.yml up -d
docker-compose -f docker-compose-org1.yml up -d
docker-compose -f docker-compose-org2.yml up -d
fabric-ca启动成功之后,在当前文件夹下会生成fabric-ca-server-org1,fabric-ca-server-org2,fabric-ca-server-orderer三个文件夹,里面分别存放的是org1-CA,org2-CA,orderer-CA的根证书(ca-cert.pem)和私钥(ff6a43faf30fefb3ddd47033e34318b93d580513eebc2bf0ca464f07f4ca01f4_sk),目录结构如下:
二、生成证书
1、编译fabric-ca-client
为了生成证书,我们需要fabric-ca-client命令。 我这边是手动进行编译的,下载fabric-ca源码,使用master分支即可。
(1)、注意事项:
由于是第一次使用golang语言开发的项目,发现hyperleger-fabric这个项目必须放在一个固定的目录,该项目必须放在golang的src/github.com/hyperledger目录下,同理,fabric-ca这个项目也必须放在这个目录下,否则编译将报错找不到相关的代码。
如下,我的golang的安装目录是:/home/zachen2/golang/go
在golang的目录下有一个src目录,我们必须手动创建目录:src/github.com/hyperledger
然后将fabric-ca的源码下载到src/github.com/hyperledger这个目录下,如下图所示:
(2)、编译
进入到fabric-ca目录,直接使用make fabric-ca-client命令进行编译。
编译完成后,会在fabric-ca的bin目录下生成fabric-ca-client命令,如下图所示:
2、证书生成
- 作者的fabric网络节点架构如下:
组织1:一个peer节点,一个Admin,一个User
组织2:一个peer节点,一个Admin,一个User
orderer:三个orderer节点,一个Admin
- 生成证书的命令如下:
-
#!/bin/bash export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/ ./fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 --caname ca-org1 echo 'NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/localhost-7054-ca-org1.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: Certificate: cacerts/localhost-7054-ca-org1.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: Certificate: cacerts/localhost-7054-ca-org1.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: Certificate: cacerts/localhost-7054-ca-org1.pem OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml #组织1 peer0的msp证书 ./fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' ./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts aa,peer0.org1.example.com cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp ./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts aa,peer0.org1.example.com cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/ca cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem #组织1 user的证书 ./fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"' ./fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp ./fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls --enrollment.profile tls cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/client.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/client.key cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/config.yaml #组织1 admin的证书 ./fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls --enrollment.profile tls cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/ ./fabric-ca-client enroll -u http://admin:adminpw@localhost:8054 --caname ca-org2 echo 'NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/localhost-8054-ca-org2.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: Certificate: cacerts/localhost-8054-ca-org2.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: Certificate: cacerts/localhost-8054-ca-org2.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: Certificate: cacerts/localhost-8054-ca-org2.pem OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml #组织2 peer0的msp证书 ./fabric-ca-client register --caname ca-org2 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' ./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --csr.hosts aa,peer0.org2.example.com cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp ./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls --enrollment.profile tls --csr.hosts aa,peer0.org2.example.com cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/ca.crt mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/ca cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem #组织2 user的证书 ./fabric-ca-client register --caname ca-org2 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"' ./fabric-ca-client enroll -u http://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp ./fabric-ca-client enroll -u http://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls --enrollment.profile tls cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/client.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/client.key cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp/config.yaml #组织2 admin的证书 ./fabric-ca-client register --caname ca-org2 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls --enrollment.profile tls cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/client.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/client.key cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com ./fabric-ca-client enroll -u http://admin:adminpw@localhost:9054 --caname ca-orderer echo 'NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/localhost-9054-ca-orderer.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: Certificate: cacerts/localhost-9054-ca-orderer.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: Certificate: cacerts/localhost-9054-ca-orderer.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: Certificate: cacerts/localhost-9054-ca-orderer.pem OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml #orderer的证书 ./fabric-ca-client register --caname ca-orderer --id.name orderer --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' ./fabric-ca-client enroll -u http://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp --csr.hosts aa,orderer.example.com cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/config.yaml ./fabric-ca-client enroll -u http://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer.example.com cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem mkdir ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts/ca.crt #orderer2的证书 ./fabric-ca-client register --caname ca-orderer --id.name orderer2 --id.secret orderer2pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' ./fabric-ca-client enroll -u http://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp --csr.hosts aa,orderer2.example.com cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/config.yaml ./fabric-ca-client enroll -u http://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer2.example.com cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.key mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts/tlsca.example.com-cert.pem #orderer3的证书 ./fabric-ca-client register --caname ca-orderer --id.name orderer3 --id.secret orderer3pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' ./fabric-ca-client enroll -u http://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp --csr.hosts aa,orderer3.example.com cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/config.yaml ./fabric-ca-client enroll -u http://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer3.example.com cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.key mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts/tlsca.example.com-cert.pem #orderer admin的证书 ./fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' ./fabric-ca-client enroll -u http://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp/config.yaml ./fabric-ca-client enroll -u http://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls --enrollment.profile tls cp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/client.crt cp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/client.key
3、遇到的问题
(1)、关于--csr.hosts参数的问题
这个参数,我在网上查了一下,会生成到证书的X509v3 Subject Alternative Name中去,这个Subject Alternative Name的作用是说明了这张证书支持的域名,一个数字证书可以支持多个域名。
在上面生成证书命令中,我把--csr.hosts的第一个域名都设置成了aa,原因是:
1、如果我设置一个对应的域名(比如orderer.example.com),这个域名会被我电脑的主机名给覆盖掉(暂时不知道原因),导致Subject Alternative Name中的域名不正确。
2、如果我把--csr.hosts设置成aa,orderer.example.com,那么他只会覆盖第一个域名aa,后面的域名orderer.example.com会正确保留下来,如下图:
反解证书的命令:openssl x509 --in server.crt -text
图中红框里的就是Subject Alternative Name,可以看到并没有aa这个域名,是被zachen2-VirtualBox(我utuntu机器的主机名)给覆盖掉了。
所以为了避免这个问题,我给所有的--csr.hosts的都加了一个aa的域名,防止我想要的域名给覆盖掉。
(2)、上面生成证书的命令中,有很多是cp数据拷贝的命令,这些是必不可少的,不能省略。尤其是config.yaml文件的生成和拷贝过程是不可缺少的,不然在后面生成genesis.block的过程中会报错。