程序地带

Fabric CA


1 Fabric CA简介

Fabric网络使用Fabric CA实现遵循PKI的身份证书管理服务。 Fabric CA主要实现了以下的功能


负责Fabric网络中所有实体的身份管理,注册、撤销等负责证书管理,包括各种公钥证书的签发和撤销服务端支持RESTful API,同时支持命令行客户端

Fabric CA基于CS架构,包括服务器和客户端组件。


服务器实现PKI服务和证书管理功能,支持多种数据库后台,支持负载均衡客户端提供访问服务器和命令行操作,供用户访问服务器
1 部署CA服务器

例如test-network示例中组织Org1的CA服务器容器编排配置,官方DockerHub中的镜像名字为hyperledger/fabric-ca。


ca_org1:
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ../organizations/fabric-ca/org1:/etc/hyperledger/fabric-ca-server
container_name: ca_org1
networks:
- test
environment FABRIC_CA_HOME环境变量,将/etc/hyperledger/fabric-ca-server作为工作目录 FABRIC_CA_SERVER_CA_NAME环境变量,指定CA服务器的名字 FABRIC_CA_SERVER_TLS_ENABLED环境变量,启动TLS认证 FABRIC_CA_SERVER_PORT环境变量,指定端口7054ports 暴露服务端口7054(RESTful服务端口)volumes 将本地存放配置文件的目录挂载到容器中,方便对证书文件和数据库进行备份command 初始化启动CA服务fabric-ca-server start -b admin:adminpw -d
2 启动CA服务器

fabric-ca-server命令主要用来启动一个CA服务,主要包括init和start两个指令。


init指令用于初始化一个fabric-ca-server服务,包括生成密钥相关的证书文件以及配置文件。start指令用于启动一个fabric-ca-server服务,如果之前没有初始化则先执行初始化操作,需要指定-b admin_user:admin_pass参数来启动

docker容器启动后执行初始化启动ca服务器的命令,-b 选项为管理员提供注册ID和密码。


fabric-ca-server start -b admin:adminpw -d

成功完成初始化后,生成配置文件fabric-ca-server-config.yaml到配置目录。


在这里插入图片描述


ca-cert.pem PEM格式的根CA证书,自签名fabric-ca-server-config.yaml 默认配置文件fabric-ca-server.db sqlite数据库文件msp/keystore 存放ca和tls签名证书对应的私钥文件(_sk文件)IssuerSecretKey idmix中使用的签发者的公钥IssuerRevocationPrivateKey idmix中使用的已撤销公钥tls-cert.pem tls的根CA证书,自签名

ca-cert.pem为根CA证书,这个证书可以用来签发中间CA或者Fabric网络中所有实体(组织、节点、用户)的身份证书。 tls-cert.pem用于tls通信,fabric-ca-client访问CA服务器都需要指定该证书。


3 fabric-ca-client命令行交互

通过fabric-ca-client客户端请求org1和CA服务器为org1生成证书的流程。


function createOrg1() {
infoln "Enroll the CA admin"
mkdir -p organizations/peerOrganizations/org1.example.com/
export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/
# rm -rf $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml
# rm -rf $FABRIC_CA_CLIENT_HOME/msp
set -x
fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
{ set +x; } 2>/dev/null
echo 'NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: orderer' >${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml
infoln "Register peer0"
set -x
fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
{ set +x; } 2>/dev/null
infoln "Register user"
set -x
fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
{ set +x; } 2>/dev/null
infoln "Register the org admin"
set -x
fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
{ set +x; } 2>/dev/null
mkdir -p organizations/peerOrganizations/org1.example.com/peers
mkdir -p organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com
infoln "Generate the peer0 msp"
set -x
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts peer0.org1.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
{ set +x; } 2>/dev/null
cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/config.yaml
infoln "Generate the peer0-tls certificates"
set -x
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts peer0.org1.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
{ set +x; } 2>/dev/null
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
mkdir -p ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt
mkdir -p ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
mkdir -p ${PWD}/organizations/peerOrganizations/org1.example.com/ca
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
mkdir -p organizations/peerOrganizations/org1.example.com/users
mkdir -p organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com
infoln "Generate the user msp"
set -x
fabric-ca-client enroll -u https://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
{ set +x; } 2>/dev/null
cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/config.yaml
mkdir -p organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com
infoln "Generate the org admin msp"
set -x
fabric-ca-client enroll -u https://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
{ set +x; } 2>/dev/null
cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml
}
3.1 配置读取

farbic-ca-client同样需要配置文件,环境变量FABRIC_CA_CLIENT_HOME指定了默认配置文件fabric-ca-client-conf.yaml文件。


3.2 登记用户

通过enroll命令对注册到fabric-ca-server中实体进行登记,向服务器申请签发ECert证书,采用默认的admin用户进行登记。


fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

通过查看log执行登记用户生成的文件


+ fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles /home/wxudong/go/src/wxudong/fabric-samples/test-network/organizations/fabric-ca/org1/tls-cert.pem
2020/12/19 10:20:33 [INFO] Created a default configuration file at /home/wxudong/go/src/wxudong/fabric-samples/test-network/organizations/peerOrganizations/org1.example.com/fabric-ca-client-config.yaml
2020/12/19 10:20:33 [INFO] TLS Enabled
2020/12/19 10:20:33 [INFO] generating key: &{A:ecdsa S:256}
2020/12/19 10:20:33 [INFO] encoded CSR
2020/12/19 10:20:33 [INFO] Stored client certificate at /home/wxudong/go/src/wxudong/fabric-samples/test-network/organizations/peerOrganizations/org1.example.com/msp/signcerts/cert.pem
2020/12/19 10:20:33 [INFO] Stored root CA certificate at /home/wxudong/go/src/wxudong/fabric-samples/test-network/organizations/peerOrganizations/org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem
2020/12/19 10:20:33 [INFO] Stored Issuer public key at /home/wxudong/go/src/wxudong/fabric-samples/test-network/organizations/peerOrganizations/org1.example.com/msp/IssuerPublicKey
2020/12/19 10:20:33 [INFO] Stored Issuer revocation public key at /home/wxudong/go/src/wxudong/fabric-samples/test-network/organizations/peerOrganizations/org1.example.com/msp/IssuerRevocationPublicKey

在这里插入图片描述


fabric-ca-client-config.yaml 默认配置文件localhost-7054-ca-org1.pem 上述org组织CA服务器的根ca证书cert.pem和_sk文件 由根CA签发的数字证书和私钥,用于标识管理员的身份ca.crt CA服务器生成的用于tls通信的根CA证书
3.3 注册用户

register命令用于注册新的成员,执行注册用户的客户端必须已经经过登记认证,拥有足够的权限来进行注册。


fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

注册peer0的身份,指定id类型为peer。


fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

注册user1的身份,指定id类型为client。


fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

注册org1admin的身份,指定id类型为admin。


3.4 生成MSP目录

使用peer0的用户身份去创建peer0的身份证书,保存到MSP目录。


fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts peer0.org1.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

使用peer0的用户身份去创建peer0的tls签名证书,保存到tls目录。


fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts peer0.org1.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

使用user1的用户身份去创建user1的身份签名证书,保存到msp目录。


fabric-ca-client enroll -u https://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

使用org1admin的用户身份去创建admin的身份签名证书,保存到msp目录。


fabric-ca-client enroll -u https://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

在这里插入图片描述


版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wxudong1991/article/details/111246100

随机推荐

数据结构--树--B树--详解查询插入删除

B树B树是一种平衡的多叉树,一颗m阶(子节点最多的节点的子节点数)的B树要么是空树,要么满足以下性质:1.根节点至少有两个子女(也可以一个子女也没有);2.每个非根节点所包含的关键字个数j满足:cei...

cuijr_leaf 阅读(784)

2020-11-16 面向对像 类

Python使用class关键字来定义类,其语法格式如下:class类名:类体类名的首字母一般需要大写类的所有实例方法都必须至少有一个名为self的参数&#x...

PythonJIANGTANG 阅读(924)

win10的WLS环境搭建记录

win10的WLS环境搭建记录

老实说,万事开头难,所以编译环境尤为重要。01为什么要用win10的WLS子系统?-鸿蒙编译需要linux环境,不需要连接烧录(W...

绿波-电龙 阅读(414)

rac的crs进程是做什么的_linux守护进程

1、什么是守护进程守护进程是运行在后台的一种特殊进程,它独立于控制终端并且周期性地执行某种任务或循环等待处理某些事件的发生;守护进程一般在系统启动时开始运行,...

未兰 阅读(195)

创建一个简单的javaWeb项目步骤

创建一个简单的javaWeb项目步骤

创建一个简单的javaWeb项目步骤打开IDEA点击new->project,选择maven,点击右边的javeweb,这里点击以后使用的默认模板,也可...

qq_36376991 阅读(400)

怎么实现物理按键的“长按事件”?

怎么实现物理按键的“长按事件”?

我在之前的帖子《实现按键“按下事件”和“释放事件”的通用框架(V0.0.1)》中阐述了DTButton-V0.0.1的设计思路,并且也在帖子中开源了实现代码。实现这个框架的...

绿波-电龙 阅读(101)