超级账本学习笔记（8）-fabric-ca

鲁班相信爱情

已于 2024-04-19 20:55:55 修改

阅读量815

点赞数 22

分类专栏：超级账本学习笔记文章标签：学习笔记 fabric

于 2024-04-19 20:29:57 首次发布

本文链接：https://blog.csdn.net/weixin_48473914/article/details/137976691

版权

超级账本学习笔记专栏收录该内容

9 篇文章 2 订阅

订阅专栏

Fabric CA部署

前言

不知不觉，研究生三年的时光即将告一段落，毕业在即。回想起当初学习的场景，那时候笔记本上记满了密密麻麻的笔记，如今想要扔掉却又舍不得。因此，我决定将当初刚入门区块链时的学习笔记分享出来。由于是跨考的，所以当时的我对区块链甚至是计算机都一窍不通，直接开始了学习之旅。因此，笔记中可能存在一些错误，仅供参考，切勿直接照搬。希望读者能够在阅读的过程中保持思考，同时，大体逻辑是可靠的。如果发现了任何错误，请务必告知我，我将及时进行修改。

一、Fabric CA简介

HyperLedger Fabric CA 是 HyperLedger Fabric 的证书颁发机构。前面几章演示的案例所需要的证书及公私钥，都是通过cryptogen工具根据crypto-config.yaml配置情况生成证书及公私钥文件的。但是如果用于生产环境，则必须要有一个中心证书机构统一管理和维护证书，合理地划分CA层级，使得新组织加入时不会影响正在使用的证书，使其具有良好的可扩展性。

HyperLedger Fabric把 CA 提炼成单独的组件，与总体架构相配合，形成完整的证书颁发方案，Fabric CA架构如图9-1所示。

图9-1是Fabric CA官方提供的架构图，说明如下。

(1)Fabric CA Root Server是根证书服务，在一个正式的Fabric 网络中，可以有一个或多个根证书。建议在正式环境中只存在一个根证书，这个根证书不用于具体CA证书颁发，具体的颁发交由中间CA处理。

(2)Fabric CA Intermediate Server是中间证书服务，每个中间证书隶属于根证书，或者隶属于其他中间证书。在正式环境中，建议每个组织对应一个中间证书，由该中间证书负责处理该组织的全部节点和成员的证书颁发。

(3)Cluster of Fabric CA Servers 是Fabric CA 服务器集群，可以把中间证书服务通过HA Proxy代理实现Fabric CA服务器集群，将流量负载平衡到一个Fabric CA集群成员。各集群成员生成的证书保存到同一个数据库中，方便查询身份和证书。数据库可以采用MySQL、PostgreSQL和LDAP (Lightweight Directory Access Protocol，轻量目录访问协议)。

(4）Fabric CA Client是 CA客户端，负责登记、注册、销毁证书等。

(5）与Hyperledger Fabric CA服务器交互有两种方式，一种是通过Fabric CA 客户端，另一种是通过其中一个Fabric SDK。所有交互的通信都是通过 REST API进行的。

Fabric CA 有以下4个主要功能。

(1〉各实体的身份注册和登记。

(2）给各实体发放登记证书（ECerts)。

(3）给各交易发布交易证书（TCerts)。

(4）各颁发证书的更新和撤销。

二、Fabric CA 安装

1、目录

$GOPATH/src/github.com/hyperledger/fabric-ca

2、依赖工具安装

cd $GOPATH/src/github.com/hyperledger

yum install libtool libl-dev libtool-ltdl-devel

安装出错，关机重启

3、Fabric CA 安装

git clone https://github.com/hyperledger/fabric-ca.git

git branch -a

cd fabric-ca

git checkout v1.4.0

make fabric-ca-server

make fabric-ca-client

备注：不知道为在当前目录下自动生成bin目录，同时在 bin目录下生成fabric-ca-client和fabric-ca-server 两个文件。

3.2错误

make: *** 没有规则可以创建目标“fabric-ca-server”。停止

这里我执行命令时遇到了关于golang第三方包的引用报错的问题

3.2.1报错如下：

no required module provides package github.com/hyperledger/fabric-ca/cmd/fabric-ca-server: go.mod file not found in current directory or any parent directory; see 'go help modules'

3.2.2解决办法

go env -w GO111MODULE=auto

3.2.3—配置环境变量

vi /etc/profile

3.2.4添加以下内容

export GOBIN=$GOPATH/src/github.com/hyperledger/fabric-ca/bin

export PATH=$PATH:$GOBIN

3.2.5环境变量生效

service /etc/profile

3.3检查是否安装成功

fabric-ca-server version

fabric-ca-client version

三、目录

目录$GOPATH/src/github.com/hyperledger/fabric-ca

四、fabric CA 服务端命令

4.1、Fabric CA服务器初始化

4.1.1前置信息

在启动Fabric CA 服务之前需要进行初始化，初始化完成后会生成配置文件 fabric-ca-serverconfig.yaml，在Fabric CA 启动前可以在配置文件中自定义配置证书签名请求(Certificate Signing Request，CSR）参数。

Fabric CA 主目录使用的顺序如下。

(1）如果设置了-home命令行选项，优先使用该值。

(2）否则，如果设置了FABRIC_CA_SERVER_HOME环境变量，使用该值。

(3）否则，如果设置了FABRIC_CA_HOME环境变量，使用该值。

(4）否则，如果设置了CA_CFG_PATH环境变量，使用该值。

(5)否则，使用当前工作目录。

4..1.2Fabric CA服务器初始化

Fabric CA 通过init命令进行服务器初始化，在LDAP禁用的情况下，需要指定-b<USER_NAME> :<PASSWORD>参数，<USER_NAME>:<PASSWORD>为默认管理员用户名和密码，通过--home参数指定Fabric CA Server 主目录。

4.2、init命令如下。

简单

fabric-ca-server init -b admin:adminpw

书上

fabric-ca-server init -b admin:adminpw --home ./fabriccaserver --cfg.affiliations.allowremove --cfg.identities.allowremove

init参数说明

参数	说明
--home<目录>	指定主目录
--cfg.affiliations.allowremove	指定允许删除联盟
cfg.identities.allowremove	指定允许删除用户

错误

问题描述

fabric-ca-server: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by fabric-ca-server)

CentOS Linux release 7.3.1611 (Core) 环境安装Mysql8.0.27版本的时候，报错如下： mysqld: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by mysqld) mysqld: /lib64/libc.so.6: version `GLIBC_2.18' not found (required by /lib64/libstdc++.so.6) 本文详细说明了报错的处理

查看.

错误原因

出现这个问题的原因是glibc的版本太低，

查看系统glibc支持的版本

strings /lib64/libc.so.6 |grep GLIBC_

解决办法

1.centos 升级GCC编译器

yum -y install centos-release-scl

yum -y install devtoolset-8-gcc devtoolset-8-gcc-c++ devtoolset-8-binutils

scl enable devtoolset-8 bash

echo "source /opt/rh/devtoolset-8/enable" >>/etc/profile

2、升级make

wget http://ftp.gnu.org/gnu/make/make-4.2.tar.gz

tar -xzvf make-4.2.tar.gz

cd make-4.2

./configure

make

make install

rm -rf /usr/bin/make

cp ./make /usr/bin/

make -v

3编译安装glibc-2.28

curl -O http://ftp.gnu.org/gnu/glibc/glibc-2.28.tar.gz

tar zxf glibc-2.28.tar.gz

cd glibc-2.28/

mkdir build

cd build/

../configure --prefix=/usr --disable-profile --enable-add-ons --with-headers=/usr/include --with-binutils=/usr/bin

make && make install

注意：此过程需要耐心等待10分钟即可

在执行make install 的时候

Please read the FAQ and the README file and check the following:

- Did you change the gcc specs file (necessary after upgrading from

Linux libc5)?

- Are there any symbolic links of the form libXXX.so to old libraries?

Links like libm.so -> libm.so.5 (where libm.so.5 is an old library) are wrong,

libm.so should point to the newly installed glibc file - and there should be

only one such link (check e.g. /lib and /usr/lib)

You should restart this script from your build directory after you've

fixed all problems!

Btw. the script doesn't work if you're installing GNU libc not as your

primary library!

make[1]: *** [Makefile:111: install] Error 1

make[1]: Leaving directory '/opt/tmp/glibc-2.30'

make: *** [Makefile:12: install] Error 2 # 此编译错误可以无视

4、查看是否安装成功

ls -l /lib64/libc.so.6

lrwxrwxrwx 1 root root 12 Sep 18 15:14 /lib64/libc.so.6 -> libc-2.30.so # 表示安装成功

5、错误

终端无法使用

用xshell链接centos7 显示：

-bash: warning: setlocale: LC_TIME: cannot change locale (en_US.UTF-8)

原因分析：

编译升级了某个软件如 glibc

解决方法：

继续执行

make localedata/install-locales

如果不执行，系统不会安装设置的字符编码：比如我系统上设置的是字符编码是en_US.UTF-8，而系统并没有安装en_US.UTF-8字符编码

4.3、fabric-ca服务器启动

创建fabriccaserver文件夹

简单

fabric-ca-server start -b admin:adminpw

书上

fabric-ca-server start -b admin:adminpw --home ./fabriccaserver

5、启动fabric-ca-server

4.1、docker启动

此处采取docker启动，可以参考fabric-sample/first-network/docker-compose-cli-ca.yaml

docker-compose -f docker-compose-cli-ca.yaml up -d ca0

4.2、命令行启动

4.2.1初始化

fabric-ca-server init -b admin:adminpw

4.2.2随便找一处创建文件夹

mkdir fabriccaserver

cd fabriccaserver

fabric-ca-server start -b admin:adminpw

4.3 操作

主要通过调用Fabric CA的客户端来测试Fabric相关功能。对外提供的接口如下：

enroll：登记账号

gencrl：撤销证书

gencsr：创建证书签名

cainfo：获取CA信息

reenroll：重新登记账号

revoke：撤销一个账号

version：显示版本信息

五、fabric CA 客户端命令

Fabric CA客户端命令与服务端交互是通过RESTful API和客户端工具fabric-ca-client两种方式。本节主要介绍fabric-ca-client方式，RESTful API的调用将在第12章进行详细介绍。

Fabric CA主要命令如表9-3所示。

5.1、备注：操作

主要通过调用Fabric CA的客户端来测试Fabric相关功能。对外提供的接口如下：

enroll：登记账号

gencrl：撤销证书

gencsr：创建证书签名

cainfo：获取CA信息

reenroll：重新登记账号

revoke：撤销一个账号

version：显示版本信息

5.2使用fabric-ca

5.2.1、fabric注册用户身份

打开一个新的端口

创建fabriccaclient文件夹

5.1 获取CA信息

fabric-ca-client getcainfo -u http://admin:adminpw@localhost:7054

5.2 登记用户

fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

enroll 命令访问指定的 Fabric-CA 服务，采用 admin 用户进行注册。在 Fabric-CA 客户端主目录下创建配置文件 fabric-ca-clien-config.yaml 和 msp 子目录，存储注册证书（ECert），相应的私钥和 CA 证书 PEM 文件

enroll命令参数说明

5.3 注册用户

admin用户是enroll成功的，接下来用admin作为登记员（Register）来注册（register）一个新用户。

fabric-ca-client register --id.name Eric --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar'

register命令参数

其他命令（未验证）

重新登记用户身份

注销已签发的用户证书

列举组织关系信息、

移除组织关系

添加组织关系

5.4 生成peer/orderer节点msp/tls信息

5.4.1创建fabric-ca-client配置文件环境变量：

vi /etc/profile

source /etc/profile

/home/lhc/go-work/src/github.com/hyperledger/fabric-ca/fabriccaclient

export FABRIC_CA_CLIENT_HOME=/home/lhc/go-work/src/github.com/hyperledger/fabric-ca/fabriccaclient

5.4.2创建fabric-ca-client-msp配置文件路径

mkdir -p /home/lhc/go-work/src/github.com/hyperledger/fabric-ca-client

5.4.3从fabric-ca源码中复制fabric-ca客户端配置文件：

cp $GOPATH/src/github.com/hyperledger/fabric-ca/testdata/fabric-ca-client-config.yaml /home/lhc/go-work/src/github.com/hyperledger/fabric-ca/fabriccaclient

5.4.4登记admin用户

fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

5.5 msp信息

打开fabric-ca-client终端

5.5.1注册ordere节点

fabric-ca-client register --id.name orderer --id.type orderer --id.affiliation org1.department1 --id.secret orderer-password

5.5.2注册peer节点

fabric-ca-client register --id.name peer --id.type peer --id.affiliation org1.department1 --id.secret peer-password

5.5.3登记orderer节点

fabric-ca-client enroll -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml -M $FABRIC_CA_CLIENT_HOME/orderer/msp

不知道为啥，这里识别不到环境变量修改为

fabric-ca-client enroll -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml -M ./orderer/msp

查看文件目录

5.5.6登记peer节点

fabric-ca-client enroll -u http://peer:peer-password@localhost:7054 -c fabric-ca-client-config-peer.yaml -M .home/peer/msp

查看文件目录

生成order节点和peer节点的tls信息

生成peer节点tls信息

fabric-ca-client enroll -d --enrollment.profile tls -u http://peer:peer-password@localhost:7054 -c fabric-ca-client-config-peer.yaml -M .home/peer/tls

生成order节点tls信息

fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer:orderer-password@localhost:7054 -c fabric-ca-client-config-orderer.yaml -M .home/orderer/tls

六、生产环境fabric CA 网络拓扑

在Fabric Kafka生产环境部署的基础上部署Fabric CA，使用

Fabric CA 来生成公私钥和证书等文件，包括生成TLS相关的公私钥和证书等文件，以及全部替换cryptogen工具。

Fabric kafka生产环境部署有3个组织，分别为1个Orderer 组织和2个Peer 组织，对应的组织ID分别为example.com、org1.example.com和 org2.example.com。为了让生产环境Fabric CA 具有扩展性和安全性，会分配1个逻辑的根CA (RootCA）和3个中间CA(IntermediCA)，3个Intermedia CA 都隶属于RootCA。

3个IntermediaCA 分别负责1个Orderer 组织和2个Peer 组织的公私钥和证书的生成。当有新的组织加入时，只需再生成一个

Intermedia CA 接入RootCA 下，不会影响其他 lntermedia CA，生产环境FabricCA网络拓扑图如图9-2所示。

9.6 生产环境Fabric CA运行与配置

根据生产环境Fabric CA 网络拓扑图，实现生产环境Fabric CA 的部署，并生成 Fabric Kafka 生产环境部署所需要的公私钥、证书及TLS证书等文件。将生产环境Fabric CA 部署到第8章Fabric Kafka生产环境的kafka3 (192.168.235.6）服务器上。4个CA都在同一台计算机上，端口号不能使用同一个，对应的端口号如表9-11所示。

表9-11端口号配置

CA	端口
rootCA	7054
IntermediaCA1	7055\|\|10443
IntermediaCAtls1	8055\|\|11434
IntermediaCA2	7056\|\|10444
IntermediaCAtls2	8056\|\|11444
IntermediaCA3	7057\|\|10445
IntermediaCAtls3	8057\|\|11445

9.6.1CA服务启动

CA服务启动步骤如下

1. RootCA启动

RootCA启动的步骤如下。

（1）创建目录ca-server

cd $GOPATH/src/github.com/hyperledger/fabric-ca/bin

mkdir ca-server

cd ca-server

（2）初始化RootCA服务

fabric-ca-server init -b admin:adminpw --home ./rootca

vi ./rootca/fabric-ca-server-config.yaml

修改RootCA的服务端配置如下

version: 1.4.0

（3）启动Root CA服务

①命令行启动：

fabric-ca-server start -b admin:adminpw --home ./rootca --cfg.affiliations.allowremove --cfg.identities.allowremove

错误(解决了，但是过程可能不太行)

Error: listen tcp 127.0.0.1:9443: bind: address already in use

导致了我的服务器无法使用，身为计算机网络原理和网络工程的我知道问题所在：原来我的TCP 6443被占用了

终端输入

sudo lsof -i :9443

所以，问题找出来了。是个pid 9691 的玩意儿在使用我的TCP端口

kill 掉这个PID

kill xx端口 -9 pid

②Docker启动：

复制文件docker-rootca.yaml到ca-server目录。

docker-compose -f docker-rootca.yaml up -d

2.IntermediaCA1启动

IntermediaCA1启动的步骤如下。

（1）初始化IntermediaCA1服务

fabric-ca-server init -b admin1:adminpw1 -u http://admin:adminpw@localhost:7054 --home ./intermediaca1

vi ./intermediaca1/fabric-ca-server-config.yaml

修改IntermediaCA1的服务端配置文件如下

version: 1.4.0

port: 7055

（2）启动IntermediaCA1服务

（2）启动IntermediaCAtls3服务

①命令行启动：

fabric-ca-server start -b admin3:adminpw3 -u http://admin:adminpw@localhost:7054 --home ./intermediacatls3 --cfg.affiliations.allowremove --cfg.identities.allowremove

②Docker启动：

复制文件docker-intermediacatls3.yaml到ca-server目录。

# docker-compose -f docker-intermediacatls3.yaml up -d

9.6.2 IntermediaCA1生成

证书

IntermediaCA1生成证书的步骤如下。

1.生成example.com的MSP

生成example.com的MSP的步骤如下。

（1）登记example.com

cd /opt/gopath/src/github.com/hyperledger/fabric-ca/bin/ca-server

fabric-ca-client enroll -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:adminpw1@localhost:7055 --home ./fabric-ca-client

（2）添加联盟成员

①

fabric-ca-client affiliation list -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:adminpw1@localhost:7055 --home ./fabric-ca-client

②

fabric-ca-client affiliation remove --force org1 -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:adminpw1@localhost:7055 --home ./fabric-ca-client

③

fabric-ca-client affiliation remove --force org2 -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:adminpw1@localhost:7055 --home ./fabric-ca-client

④

fabric-ca-client affiliation add com -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:adminpw1@localhost:7055 --home ./fabric-ca-client

⑤

fabric-ca-client affiliation add com.example -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:adminpw1@localhost:7055 --home ./fabric-ca-client

2.生成Admin@example.com的MSP

生成Admin@example.com的MSP的步骤如下。

（1）注册Admin@example.com

fabric-ca-client register --id.name Admin@example.com --id.type client --id.affiliation "com.example" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=example.com --csr.hosts=['example.com'] -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:adminpw1@localhost:7055 --home ./fabric-ca-client

（2）登记Admin@example.com

fabric-ca-client enroll -u http://Admin@example.com:123456@localhost:7055 --csr.cn=example.com --csr.hosts=['example.com'] -M ./crypto-config/ordererOrganizations/example.com/users/Admin@example.com/msp --home ./fabric-ca-client

（3）生成MSP

mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/msp/admincerts

生成example.com的MSP的步骤如下。

（1）登记example.com

cd /opt/gopath/src/github.com/hyperledger/fabric-ca/bin/ca-server

fabric-ca-client enroll -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

（2）添加联盟成员

①

fabric-ca-client affiliation list -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

②

fabric-ca-client affiliation remove --force org1 -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

③

fabric-ca-client affiliation remove --force org2 -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

④

# fabric-ca-client affiliation add com -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

⑤

# fabric-ca-client affiliation add com.example -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

2.生成Admin@example.com的TLS

生成Admin@example.com的TLS的步骤如下。

（1）注册Admin@example.com

fabric-ca-client register --id.name Admin@example.com --id.type client --id.affiliation "com.example" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=example.com --csr.hosts=['example.com'] -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

（2）登记Admin@example.com

fabric-ca-client enroll -d --enrollment.profile tls -u http://Admin@example.com:123456@localhost:8055 --csr.cn=example.com --csr.hosts=['example.com'] -M ./crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tls

cp ./intermediacatls1/ca-chain.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tls/ca.crt

# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tls/client.crt

（好像需要自己找）

# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tlstmp/keystore/7f5bd7992d4e4ce1a61adfc9dec61b32c40e474e70825425d45c7d5619d110bc_sk ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tls/client.key

# cp -r ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tlstmp/tlscacerts ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/msp

# cp -r ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tlstmp/tlsintermediatecerts ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/msp

#rm -rf ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/tlstmp

3.生成orderer0.example.com的TLS

生成orderer0.example.com的TLS的步骤如下。

（1）注册orderer0.example.com

# fabric-ca-client register --id.name orderer0.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer0.example.com --csr.hosts=['orderer0.example.com'] -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

（2）登记orderer0.example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer0.example.com:123456@localhost:8055 --csr.cn=orderer0.example.com --csr.hosts=['orderer0.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls

# cp ./intermediacatls1/ca-chain.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/ca.crt

# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt

# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tlstmp/keystore/91362ee1759b9effe73e220a8595294e5cd718888e474235f911e4a9bea44d09_sk ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.key

# cp -r ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tlstmp/tlscacerts ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/msp

# cp -r ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tlstmp/tlsintermediatecerts ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/msp

#rm -rf ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/ orderer0.example.com/tlstmp

4.生成orderer1.example.com的TLS

生成orderer1.example.com的TLS的步骤如下。

（1）注册orderer1.example.com

# fabric-ca-client register --id.name orderer1.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer1.example.com --csr.hosts=['orderer1.example.com'] -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

（2）登记orderer1.example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer1.example.com:123456@localhost:8055 --csr.cn=orderer1.example.com --csr.hosts=['orderer1.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls

# cp ./intermediacatls1/ca-chain.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/ca.crt

# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/server.crt

# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tlstmp/keystore/d313f670155fffaba890ac3140ff37000632b9b7809a298b69f8d31be0bcc8c4_sk ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/server.key

# cp -r ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tlstmp/tlscacerts ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/msp

cp -r ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tlstmp/tlsintermediatecerts ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/msp

#rm -rf ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tlstmp

5.生成orderer2.example.com的TLS

生成orderer2.example.com的TLS的步骤如下。

（1）注册orderer2.example.com

# fabric-ca-client register --id.name orderer2.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer2.example.com --csr.hosts=['orderer2.example.com'] -M ./crypto-config/ordererOrganizations/example.com/tlstmp -u http://admin1:adminpw1@localhost:8055 --home ./fabric-ca-client

（2）登记orderer2.example.com

fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer2.example.com:123456@localhost:8055 --csr.cn=orderer2.example.com --csr.hosts=['orderer2.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls

# cp ./intermediacatls1/ca-chain.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/ca.crt

# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt

# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tlstmp/keystore/9ac6d07e29550b941f75f97bee377bc48db682d49a432dbf676a0f408aef00d1_sk ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.key

# cp -r ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tlstmp/tlscacerts ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/msp

# cp -r ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tlstmp/tlsintermediatecerts ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/msp

#rm -rf ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tlstmp

#rm -rf ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/tlstmp

9.6.4 IntermediaCA2生成证书

IntermediaCA2生成证书的步骤如下。

1.生成org1.example.com的MSP

生成org1.example.com的MSP的步骤如下。

（1）登记org1.example.com

# fabric-ca-client enroll --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

# vi ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/msp/config.yaml

在/msp/config.yaml中做如下配置

NodeOUs:

Enable: true

ClientOUIdentifier:

Certificate: intermediatecerts/localhost-7056.pem

OrganizationalUnitIdentifier: client

PeerOUIdentifier:

Certificate: intermediatecerts/localhost-7056.pem

OrganizationalUnitIdentifier: peer

（2）添加联盟成员

# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

fabric-ca-client affiliation remove --force org2 -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

# fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

# fabric-ca-client affiliation add com.example.org1 -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

2.生成Admin@example.com的MSP

生成Admin@example.com的MSP的步骤如下。

（1）注册Admin@example.com

fabric-ca-client register --id.name Admin@org1.example.com --id.type client --id.affiliation "com.example.org1" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

参考

# fabric-ca-client register --id.name Admin@org1.example.com --id.type client --id.affiliation "com.example.org1" --id.attrs '"hf.Registrar.Roles=client,orderer,peer, user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./ crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost: 7056 --home ./fabric-ca-client

（2）登记Admin@examle.com

fabric-ca-client enroll -u http://Admin@org1.example.com:123456@localhost:7056 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --home ./fabric-ca-client

（3）生成MSP

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/admincerts

# cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/admincerts

mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/msp/admincerts

cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/msp/admincerts

3.生成peer0.org1.example.com的MSP

生成peer0.org1.example.com的MSP的步骤如下。

（1）注册peer0.org1.example.com

fabric-ca-client register --id.name peer0.org1.example.com --id.type peer --id.affiliation "com.example.org1" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org1.example.com --csr.hosts=['peer0.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

（2）登记peer0.org1.example.com

fabric-ca-client enroll -u http://peer0.org1.example.com:123456@localhost:7056 --csr.cn=peer0.org1.example.com --csr.hosts=['peer0.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --home ./fabric-ca-client

（3）生成MSP

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/admincerts

4.生成peer1.org1.example.com的MSP

生成peer1.org1.example.com的MSP的步骤如下。

（1）注册peer1.org1.example.com

fabric-ca-client register --id.name peer1.org1.example.com --id.type peer --id.affiliation "com.example.org1" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer1.org1.example.com --csr.hosts=['peer1.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:adminpw2@localhost:7056 --home ./fabric-ca-client

（2）登记peer1.org1.example.com

# fabric-ca-client enroll -u http://peer1.org1.example.com:123456@localhost:7056 --csr.cn=peer1.org1.example.com --csr.hosts=['peer1.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp --home ./fabric-ca-client

（3）生成MSP

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp/admincerts

9.6.5 IntermediaCAtls2生成证书

IntermediaCAtls2生成证书的步骤如下。

1.生成org1.example.com的TLS

生成org1.example.com的TLS的步骤如下。

（1）登记org1.example.com

# fabric-ca-client enroll --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

（2）添加联盟成员

# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

# fabric-ca-client affiliation remove --force org2 -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

# fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

# fabric-ca-client affiliation add com.example.org1 -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

2.生成Admin@example.com的TLS

生成Admin@example.com的TLS的步骤如下

（1）注册Admin@example.com

# fabric-ca-client register --id.name Admin@org1.example.com --id.type client --id.affiliation "com.example.org1" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

（2）登记Admin@example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://Admin@org1.example.com:123456@localhost:8056 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls

cp ./intermediacatls2/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/ca.crt

# cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt

cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tlstmp/keystore/ef1a30829aff7d2d4066e272fa62259a15b70c4cbf4fa8ae5049904331c7a288_sk ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key

# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tlstmp

3.生成peer0.org1.example.com的TLS

生成peer0.org1.example.com的TLS的步骤如下。

（1）注册peer0.org1.example.com

fabric-ca-client register --id.name peer0.org1.example.com --id.type peer --id.affiliation "com.example.org1" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org1.example.com --csr.hosts=['peer0.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

（2）登记peer0.org1.example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://peer0.org1.example.com:123456@localhost:8056 --csr.cn=peer0.org1.example.com --csr.hosts=['peer0.org1.example. com'] -M ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls

# cp ./intermediacatls2/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt

cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt

# cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tlstmp/keystore/f0dfb5c4b78407c41f8a040e4ca4f7dba204278086cc718ef0b46697336a0ccd_sk ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key

# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tlstmp

4.生成peer1.org1.example.com的TLS

生成peer1.org1.example.com的TLS的步骤如下。

（1）注册peer1.org1.example.com

# fabric-ca-client register --id.name peer1.org1.example.com --id.type peer --id.affiliation "com.example.org1" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer1.org1.example.com --csr.hosts=['peer1.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/tlstmp -u http://admin2:adminpw2@localhost:8056 --home ./fabric-ca-client

（2）登记peer1.org1.example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://peer1.org1.example.com:123456@localhost:8056 --csr.cn=peer1.org1.example.com --csr.hosts=['peer1.org1.example. com'] -M ./crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls

cp ./intermediacatls2/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/ca.crt

cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/server.crt

# cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tlstmp/keystore/1f61eb4458ef96c3f5bd0ef2a5761e11506804a53681c65f3761bb6090c3aad7_sk ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/server.key

rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tlstmp

# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/tlstmp

9.6.6 IntermediaCA3生成

证书

IntermediaCA3生成证书的步骤如下。

1.生成org2.example.com的MSP

生成org2.example.com的MSP的步骤如下。

（1）登记org2.example.com

# fabric-ca-client enroll --csr.cn=org2.example.com --csr.hosts=['org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

# vi ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/msp/config.yaml

在/msp/config.yaml中做如下配置。

NodeOUs:

Enable: true

ClientOUIdentifier:

Certificate: intermediatecerts/localhost-7057.pem

OrganizationalUnitIdentifier: client

PeerOUIdentifier:

Certificate: intermediatecerts/localhost-7057.pem

OrganizationalUnitIdentifier: peer

（2）添加联盟成员

# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

# fabric-ca-client affiliation remove --force org2 -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

# fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

# fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

# fabric-ca-client affiliation add com.example.org2 -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

2.生成Admin@example.com的MSP

生成Admin@example.com的MSP的步骤如下。

（1）注册Admin@example.com

fabric-ca-client register --id.name Admin@org2.example.com --id.type client --id.affiliation "com.example.org2" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org2.example.com --csr.hosts=['org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

（2）登记Admin@example.com

fabric-ca-client enroll -u http://Admin@org2.example.com:123456@localhost:7057 --csr.cn=org2.example.com --csr.hosts=['org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp --home ./fabric-ca-client

（3）生成MSP

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/admincerts

# cp ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/admincerts

mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/msp/admincerts

3.生成peer0.org2.example.com的MSP

生成peer0.org2.example.com的MSP的步骤如下。

（1）注册peer0.org2.example.com

# fabric-ca-client register --id.name peer0.org2.example.com --id.type peer --id.affiliation "com.example.org2" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org2.example.com --csr.hosts=['peer0.org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

（2）登记peer0.org2.example.com

# fabric-ca-client enroll -u http://peer0.org2.example.com:123456@localhost:7057 --csr.cn=peer0.org2.example.com --csr.hosts=['peer0.org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --home ./fabric-ca-client

（3）生成MSP

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/admincerts

4.生成peer1.org2.example.com的MSP

生成peer1.org2.example.com的MSP的步骤如下。

（1）注册peer1.org2.example.com

fabric-ca-client identity modify user1 --json '{"secret": "123456", "affiliation":com.example.org2 ".", "attrs": [{"name": "hf.Regisrar.Roles", "value": "peer,client"},{"name": "hf.Revoker", "value": "true"}]}'

fabric-ca-client register --id.name peer1.org2.example.com --id.type peer --id.affiliation "com.example.org2" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer1.org2.example.com --csr.hosts=['peer1.org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/msp -u http://admin3:adminpw3@localhost:7057 --home ./fabric-ca-client

（2）登记peer1.org2.example.com

fabric-ca-client enroll -u http://peer1.org2.example.com:123456@localhost:7057 --csr.cn=peer1.org2.example.com --csr.hosts=['peer1.org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/msp --home ./fabric-ca-client

（3）生成MSP

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/msp/admincerts

9.6.7 IntermediaCAtls3生成证书

IntermediaCAtls3生成证书步骤如下。

1.生成org2.example.com的TLS

生成org2.example.com的TLS的步骤如下。

（1）登记org2.example.com

# fabric-ca-client enroll --csr.cn=org2.example.com --csr.hosts=['org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

（2）添加联盟成员

# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

# fabric-ca-client affiliation remove --force org2 -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

# fabric-ca-client affiliation add com.example.org2 -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

2.生成Admin@example.com的TLS

生成Admin@example.com的TLS的步骤如下。

（1）注册Admin@example.com

fabric-ca-client register --id.name Admin@org2.example.com --id.type client --id.affiliation "com.example.org2" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org2.example.com --csr.hosts=['org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

（2）登记Admin@example.com

fabric-ca-client enroll -d --enrollment.profile tls -u http://Admin@org2.example.com:123456@localhost:8057 --csr.cn=org2.example.com --csr.hosts=['org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls

cp ./intermediacatls3/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/ca.crt

# cp ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/client.crt

# cp ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tlstmp/keystore/2ba445474949a3be710f2af40b7586c7d56e8d517f914209b79ebac6b41470e6_sk ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tls/client.key

# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/tlstmp

3.生成peer0.org2.example.com的TLS

生成peer0.org2.example.com的TLS的步骤如下。

（1）注册peer0.org2.example.com

（密码错了）

fabric-ca-client identity remove peer0.org2.example.com --id.type peer --id.affiliation "com.example.org2" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org2.example.com --csr.hosts=['peer0.org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

# fabric-ca-client register --id.name peer0.org2.example.com --id.type peer --id.affiliation "com.example.org2" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org2.example.com --csr.hosts=['peer0.org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

（2）登记peer0.org2.example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://peer0.org2.example.com:123456@localhost:8057 --csr.cn=peer0.org2.example.com --csr.hosts=['peer0.org2. example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tlstmp --home ./fabric-ca-client

fabric-ca-client enroll -d --enrollment.profile tls -u http://peer0.org2.example.com:123456@localhost:8056 --csr.cn=peer0.org2.example.com --csr.hosts=['peer0.org2.example. com'] -M ./crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls

cp ./intermediacatls3/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt

cp ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt

# cp ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tlstmp/keystore/59f219ec15c6052ce3973cb9a6665a3e39dcf6b5b01bec04d632b2f00c1bb5fe_sk ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key

# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tlstmp

4.生成peer1.org2.example.com的TLS

生成peer1.org2.example.com的TLS的步骤如下。

（1）注册peer1.org2.example.com

fabric-ca-client register --id.name peer1.org2.example.com --id.type peer --id.affiliation "com.example.org2" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer1.org2.example.com --csr.hosts=['peer1.org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/tlstmp -u http://admin3:adminpw3@localhost:8057 --home ./fabric-ca-client

（2）登记peer1.org2.example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://peer1.org2.example.com:123456@localhost:8057 --csr.cn=peer1.org2.example.com --csr.hosts=['peer1.org2.example.com'] -M ./crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tlstmp --home ./fabric-ca-client

（3）生成TLS

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls

# cp ./intermediacatls3/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/ca.crt

cp ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/server.crt

cp ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tlstmp/keystore/1dccdf94a27c6cbc41e3f236b77e2d774cafec08c6a36721a69522c75dfd289c_sk ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/server.key

rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tlstmp

# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org2.example.com/tlstmp

9.6.8 验证CA证书

用Fabric CA生成的证书替换第8章 Fabric Kafka生产环境部署中使用cryptogen生成的证书，复制./fabric-ca-client/crypto-config目录到kafkapeer目录下（删除原先的crypto-config目录），然后生成创世区块和通道配置文件，后续步骤将下面的代码

ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

修改为

ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/

ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/t ls-localhost-8055.pem

除此以外，其他步骤不变。

9.7 本章小结

前面章节在环境部署时，系统都是通过cryptogen工具根据crypto-config.yaml配置情况生成证书及公私钥文件的，但是生产环境必须要有一个中心证书机构，用来统一管理和维护证书，实现各实体的身份注册和登记、发放登录证书、发布交易证书及证书的更新和撤销等功能。

本章简要介绍了Fabric CA基础概念及操作命令，然后通过第8章Fabric Kafka生产环境部署的案例，用Fabric CA替换cryptogen工具，手把手地演示了使用Fabric CA生成MSP和TLS所需的证书文件，最后通过验证，保证生成的证书可用。

鲁班相信爱情

关注

22
点赞
踩
28

收藏

觉得还不错? 一键收藏
0
评论
超级账本学习笔记（8）-fabric-ca

用Fabric CA生成的证书替换第8章 Fabric Kafka生产环境部署中使用cryptogen生成的证书，复制./fabric-ca-client/crypto-config目录到kafkapeer目录下（删除原先的crypto-config目录），然后生成创世区块和通道配置文件，后续步骤将下面的代码。在 Fabric-CA 客户端主目录下创建配置文件 fabric-ca-clien-config.yaml 和 msp 子目录，存储注册证书（ECert），相应的私钥和 CA 证书 PEM 文件。
复制链接

扫一扫

专栏目录