fabric-ca服务构建及证书生成

冰雪_ang

已于 2023-04-18 16:38:39 修改

阅读量3.6k

点赞数 2

分类专栏： Fabric 文章标签：区块链 ca证书

于 2020-07-31 17:20:06 首次发布

本文链接：https://blog.csdn.net/chenzhiang1/article/details/107712755

版权

Fabric 专栏收录该内容

1 篇文章 0 订阅

订阅专栏

前言：

1、为了保证在网络通信过程中信息的安全性，fabric可以设置tls网络通信模式，这就需要我们来生成相关的数字签名证书。关于tls通信需要数字证书的原因以及通信过程，见tls安全网络传输

2、之前fabric的相关证书是我们手动用cryptogen命令来生成的，但是在实际的应用场景中，如果新增用户，这种方式肯定是不行的，我们需要用fabric-ca的方式来生成相关证书。

一、fabric-ca服务的启动

1、fabric-ca镜像

在这里，我们使用docker的方式来启动fabric-ca服务，在启动之前，我们需要下载相关的镜像。

我们直接下载hyperledger/fabric-ca:latest镜像，如下图所示：

docker pull hyperledger/fabric-ca:latest

2、docker-compose.yaml

我们这里启动三个CA服务，分别作为Org1，Org2，Orderer的CA，三个CA服务相互独立。编写docker-compose.yaml文件

docker-compose-orderer.yaml

fabric-ca-server-orderer:
  image: hyperledger/fabric-ca:latest
  container_name: fabric-ca-server-orderer
  ports:
    - "9054:9054"
  environment:
    - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
    - FABRIC_CA_SERVER_PORT=9054
    - FABRIC_CA_SERVER_CA_NAME=ca-orderer
    - COMPOSE_PROJECT_NAME=ca-orderer
  volumes:
    - "./fabric-ca-server-orderer:/etc/hyperledger/fabric-ca-server"
  command: sh -c 'fabric-ca-server start -b admin:adminpw'

docker-compose-org1.yaml

fabric-ca-server-org1:
  image: hyperledger/fabric-ca:latest
  container_name: fabric-ca-server-org1
  ports:
    - "7054:7054"
  environment:
    - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
    - FABRIC_CA_SERVER_PORT=7054
    - FABRIC_CA_SERVER_CA_NAME=ca-org1
    - COMPOSE_PROJECT_NAME=ca-org1
  volumes:
    - "./fabric-ca-server-org1:/etc/hyperledger/fabric-ca-server"
  command: sh -c 'fabric-ca-server start -b admin:adminpw'

docker-compose-org2.yaml

fabric-ca-server-org2:
  image: hyperledger/fabric-ca:latest
  container_name: fabric-ca-server-org2
  ports:
    - "8054:8054"
  environment:
    - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
    - FABRIC_CA_SERVER_PORT=8054
    - FABRIC_CA_SERVER_CA_NAME=ca-org2
    - COMPOSE_PROJECT_NAME=ca-org2
  volumes:
    - "./fabric-ca-server-org2:/etc/hyperledger/fabric-ca-server"
  command: sh -c 'fabric-ca-server start -b admin:adminpw'

3、启动容器

docker-compose -f docker-compose-orderer.yml up -d
docker-compose -f docker-compose-org1.yml up -d
docker-compose -f docker-compose-org2.yml up -d

fabric-ca启动成功之后，在当前文件夹下会生成fabric-ca-server-org1，fabric-ca-server-org2，fabric-ca-server-orderer三个文件夹，里面分别存放的是org1-CA，org2-CA，orderer-CA的根证书(ca-cert.pem)和私钥(ff6a43faf30fefb3ddd47033e34318b93d580513eebc2bf0ca464f07f4ca01f4_sk)，目录结构如下：

二、生成证书

1、编译fabric-ca-client

为了生成证书，我们需要fabric-ca-client命令。我这边是手动进行编译的，下载fabric-ca源码，使用master分支即可。

(1)、注意事项：

由于是第一次使用golang语言开发的项目，发现hyperleger-fabric这个项目必须放在一个固定的目录，该项目必须放在golang的src/github.com/hyperledger目录下，同理，fabric-ca这个项目也必须放在这个目录下，否则编译将报错找不到相关的代码。

如下，我的golang的安装目录是：/home/zachen2/golang/go

在golang的目录下有一个src目录，我们必须手动创建目录：src/github.com/hyperledger

然后将fabric-ca的源码下载到src/github.com/hyperledger这个目录下，如下图所示：

(2)、编译

进入到fabric-ca目录，直接使用make fabric-ca-client命令进行编译。

编译完成后，会在fabric-ca的bin目录下生成fabric-ca-client命令，如下图所示：

2、证书生成

作者的fabric网络节点架构如下：

组织1：一个peer节点，一个Admin，一个User

组织2：一个peer节点，一个Admin，一个User

orderer：三个orderer节点，一个Admin

生成证书的命令如下：

#!/bin/bash

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/

./fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 --caname ca-org1

echo 'NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/localhost-7054-ca-org1.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/localhost-7054-ca-org1.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/localhost-7054-ca-org1.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/localhost-7054-ca-org1.pem
    OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml

#组织1 peer0的msp证书
./fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"'

./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts aa,peer0.org1.example.com

cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp

./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts aa,peer0.org1.example.com

cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key

mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt

mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem

mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/ca
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem

#组织1 user的证书
./fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"'

./fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp  

./fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls  --enrollment.profile tls

cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/client.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/client.key

cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/config.yaml

#组织1 admin的证书
./fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'

./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp 

./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls  --enrollment.profile tls 

cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key

cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/

./fabric-ca-client enroll -u http://admin:adminpw@localhost:8054 --caname ca-org2

echo 'NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/localhost-8054-ca-org2.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/localhost-8054-ca-org2.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/localhost-8054-ca-org2.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/localhost-8054-ca-org2.pem
    OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml

#组织2 peer0的msp证书
./fabric-ca-client register --caname ca-org2 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"'

./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --csr.hosts aa,peer0.org2.example.com

cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp

./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls --enrollment.profile tls --csr.hosts aa,peer0.org2.example.com

cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key

mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/ca.crt

mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem

mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/ca
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem

#组织2 user的证书
./fabric-ca-client register --caname ca-org2 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"'

./fabric-ca-client enroll -u http://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp 

./fabric-ca-client enroll -u http://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls  --enrollment.profile tls 

cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/client.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/tls/client.key

cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp/config.yaml

#组织2 admin的证书
./fabric-ca-client register --caname ca-org2 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'

./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp 

./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls  --enrollment.profile tls 

cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/client.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/client.key

cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com

./fabric-ca-client enroll -u http://admin:adminpw@localhost:9054 --caname ca-orderer

echo 'NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/localhost-9054-ca-orderer.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/localhost-9054-ca-orderer.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/localhost-9054-ca-orderer.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/localhost-9054-ca-orderer.pem
    OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml
#orderer的证书
./fabric-ca-client register --caname ca-orderer --id.name orderer --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'

./fabric-ca-client enroll -u http://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp --csr.hosts aa,orderer.example.com

cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/config.yaml

./fabric-ca-client enroll -u http://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer.example.com

cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key

mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

mkdir ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts/ca.crt



#orderer2的证书
./fabric-ca-client register --caname ca-orderer --id.name orderer2 --id.secret orderer2pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'

./fabric-ca-client enroll -u http://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp --csr.hosts aa,orderer2.example.com

cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/config.yaml

./fabric-ca-client enroll -u http://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer2.example.com

cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/ca.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.key

mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts/tlsca.example.com-cert.pem


#orderer3的证书
./fabric-ca-client register --caname ca-orderer --id.name orderer3 --id.secret orderer3pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'

./fabric-ca-client enroll -u http://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp --csr.hosts aa,orderer3.example.com 

cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/config.yaml

./fabric-ca-client enroll -u http://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer3.example.com 

cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/ca.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.key

mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts/tlsca.example.com-cert.pem


#orderer admin的证书
./fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'

./fabric-ca-client enroll -u http://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp 

cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp/config.yaml

./fabric-ca-client enroll -u http://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls --enrollment.profile tls 

cp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/ca.crt

cp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/client.crt

cp ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/tls/client.key

3、遇到的问题

(1)、关于--csr.hosts参数的问题

这个参数，我在网上查了一下，会生成到证书的X509v3 Subject Alternative Name中去，这个Subject Alternative Name的作用是说明了这张证书支持的域名，一个数字证书可以支持多个域名。

在上面生成证书命令中，我把--csr.hosts的第一个域名都设置成了aa，原因是：

1、如果我设置一个对应的域名(比如orderer.example.com)，这个域名会被我电脑的主机名给覆盖掉(暂时不知道原因)，导致Subject Alternative Name中的域名不正确。

2、如果我把--csr.hosts设置成aa,orderer.example.com，那么他只会覆盖第一个域名aa，后面的域名orderer.example.com会正确保留下来，如下图：

反解证书的命令：openssl x509 --in server.crt -text

图中红框里的就是Subject Alternative Name，可以看到并没有aa这个域名，是被zachen2-VirtualBox(我utuntu机器的主机名)给覆盖掉了。

所以为了避免这个问题，我给所有的--csr.hosts的都加了一个aa的域名，防止我想要的域名给覆盖掉。

(2)、上面生成证书的命令中，有很多是cp数据拷贝的命令，这些是必不可少的，不能省略。尤其是config.yaml文件的生成和拷贝过程是不可缺少的，不然在后面生成genesis.block的过程中会报错。

冰雪_ang

关注

2
点赞
踩
19

收藏

觉得还不错? 一键收藏
3
评论
fabric-ca服务构建及证书生成

前言：1、为了保证在网络通信过程中信息的安全性，fabric可以设置tls网络通信模式，这就需要我们来生成相关的数字签名证书。关于tls通信需要数字证书的原因以及通信过程，见tls安全网络传输2、之前fabric的相关证书是我们手动用cryptogen命令来生成的，但是在实际的应用场景中，如果新增用户，这种方式肯定是不行的，我们需要用fabric-ca的方式来生成相关证书。一、fabric-ca服务的启动1、fabric-ca镜像在这里，我们使用docker的方式来启动...
复制链接

扫一扫