Hyperledger Fabric CA 操作實(shí)錄

源碼編譯
參考1:http://www.itdecent.cn/p/de04cbc4d3dc
參考2:http://www.itdecent.cn/p/2ab1ba296339
參考3:使用fabric-ca創(chuàng)建節(jié)點(diǎn)證書

1 Fabric Server操作

1.1 初始化Server

  • 生成配置文件和證書文件
eliza@eliza-Macmini:~$ fabric-ca-server init -b admin:adminpw --home ca-home/root
2019/07/16 16:12:06 [INFO] Created default configuration file at /home/eliza/ca-home/root/fabric-ca-server-config.yaml
2019/07/16 16:12:06 [INFO] Server Version: 1.4.2-snapshot-d3e9c35
2019/07/16 16:12:06 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/07/16 16:12:06 [WARNING] &{69 The specified CA certificate file /home/eliza/ca-home/root/ca-cert.pem does not exist}
2019/07/16 16:12:06 [INFO] generating key: &{A:ecdsa S:256}
2019/07/16 16:12:06 [INFO] encoded CSR
2019/07/16 16:12:06 [INFO] signed certificate with serial number 143384722862879930990370662709102875271142366602
2019/07/16 16:12:06 [INFO] The CA key and certificate were generated for CA 
2019/07/16 16:12:06 [INFO] The key was stored by BCCSP provider 'SW'
2019/07/16 16:12:06 [INFO] The certificate is at: /home/eliza/ca-home/root/ca-cert.pem
2019/07/16 16:12:07 [INFO] Initialized sqlite3 database at /home/eliza/ca-home/root/fabric-ca-server.db
2019/07/16 16:12:07 [INFO] The issuer key was successfully stored. The public key is at: /home/eliza/ca-home/root/IssuerPublicKey, secret key is at: /home/eliza/ca-home/root/msp/keystore/IssuerSecretKey
2019/07/16 16:12:07 [INFO] Idemix issuer revocation public and secret keys were generated for CA ''
2019/07/16 16:12:07 [INFO] The revocation key was successfully stored. The public key is at: /home/eliza/ca-home/root/IssuerRevocationPublicKey, private key is at: /home/eliza/ca-home/root/msp/keystore/IssuerRevocationPrivateKey
2019/07/16 16:12:07 [INFO] Home directory for default CA: /home/eliza/ca-home/root
2019/07/16 16:12:07 [INFO] Initialization was successful

eliza@eliza-Macmini:~/ca-home$ cd ca-home
eliza@eliza-Macmini:~/ca-home$ tree
.
└── root
    ├── ca-cert.pem
    ├── fabric-ca-server-config.yaml
    ├── fabric-ca-server.db
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    └── msp
        └── keystore
            ├── 113a600ca0c685f529b05194c7ae852ed3f506a5b487706bccbbeeb1259ca66d_sk
            ├── IssuerRevocationPrivateKey
            └── IssuerSecretKey

3 directories, 8 files
  • 根據(jù)指定的-b 參數(shù)在fabric-ca-server.db數(shù)據(jù)庫的user表中有一條相應(yīng)的admin記錄

1.2 啟動server

在啟動之前修改配置文件fabric-ca-server-config.yaml
例如將監(jiān)聽端口改為7064

eliza@eliza-Macmini:~$ cd ca-home/root
eliza@eliza-Macmini:~/ca-home/root$ fabric-ca-server start -b admin:adminpw
2019/07/16 16:27:07 [INFO] Configuration file location: /home/eliza/ca-home/root/fabric-ca-server-config.yaml
2019/07/16 16:27:07 [INFO] Starting server in home directory: /home/eliza/ca-home/root
2019/07/16 16:27:07 [INFO] Server Version: 1.4.2-snapshot-d3e9c35
2019/07/16 16:27:07 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/07/16 16:27:07 [INFO] The CA key and certificate already exist
2019/07/16 16:27:07 [INFO] The key is stored by BCCSP provider 'SW'
2019/07/16 16:27:07 [INFO] The certificate is at: /home/eliza/ca-home/root/ca-cert.pem
2019/07/16 16:27:07 [INFO] Initialized sqlite3 database at /home/eliza/ca-home/root/fabric-ca-server.db
2019/07/16 16:27:07 [INFO] The Idemix issuer public and secret key files already exist
2019/07/16 16:27:07 [INFO]    secret key file location: /home/eliza/ca-home/root/msp/keystore/IssuerSecretKey
2019/07/16 16:27:07 [INFO]    public key file location: /home/eliza/ca-home/root/IssuerPublicKey
2019/07/16 16:27:07 [INFO] The Idemix issuer revocation public and secret key files already exist
2019/07/16 16:27:07 [INFO]    private key file location: /home/eliza/ca-home/root/msp/keystore/IssuerRevocationPrivateKey
2019/07/16 16:27:07 [INFO]    public key file location: /home/eliza/ca-home/root/IssuerRevocationPublicKey
2019/07/16 16:27:07 [INFO] Home directory for default CA: /home/eliza/ca-home/root
2019/07/16 16:27:07 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/07/16 16:27:07 [INFO] Listening on http://0.0.0.0:7064

1.3 創(chuàng)建intermedia server

方法一:命令行直接創(chuàng)建

fabric-ca-server start -b ca1:123456 -p 7064 -u http://wyj:123456@localhost:7054

方法二:配置文件創(chuàng)建

fabric-server-config.yaml

intermediate:
  parentserver:
    url: http://wyj:123456@localhost:7054
    caname: root   ## root ca的配置文件中ca name必須和這個一樣

  enrollment:
    hosts:
    profile:
    label:

  tls:
    certfiles:
    client:
      certfile:
      keyfile:

在配置文件所在文件夾運(yùn)行腳本

ElizadeMacBook-Air:ca2 eliza$ fabric-ca-server init -c fabric-ca-server-config.yaml
2019/07/16 19:12:36 [INFO] Configuration file location: /Users/eliza/documents/ca-home/intermedia/ca2/fabric-ca-server-config.yaml
2019/07/16 19:12:36 [INFO] Server Version: 1.4.2-snapshot-d3e9c35
2019/07/16 19:12:36 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/07/16 19:12:36 [WARNING] &{69 The specified CA certificate file /Users/eliza/documents/ca-home/intermedia/ca2/ca-cert.pem does not exist}
2019/07/16 19:12:36 [INFO] generating key: &{A:ecdsa S:256}
2019/07/16 19:12:37 [INFO] encoded CSR
2019/07/16 19:12:37 [INFO] The CA key and certificate were generated for CA ca2
2019/07/16 19:12:37 [INFO] The key was stored by BCCSP provider 'SW'
2019/07/16 19:12:37 [INFO] The certificate is at: /Users/eliza/documents/ca-home/intermedia/ca2/ca-cert.pem
2019/07/16 19:12:37 [INFO] Initialized sqlite3 database at /Users/eliza/documents/ca-home/intermedia/ca2/fabric-ca-server.db
2019/07/16 19:12:37 [INFO] The issuer key was successfully stored. The public key is at: /Users/eliza/documents/ca-home/intermedia/ca2/IssuerPublicKey, secret key is at: /Users/eliza/documents/ca-home/intermedia/ca2/msp/keystore/IssuerSecretKey
2019/07/16 19:12:37 [INFO] Idemix issuer revocation public and secret keys were generated for CA 'ca2'
2019/07/16 19:12:37 [INFO] The revocation key was successfully stored. The public key is at: /Users/eliza/documents/ca-home/intermedia/ca2/IssuerRevocationPublicKey, private key is at: /Users/eliza/documents/ca-home/intermedia/ca2/msp/keystore/IssuerRevocationPrivateKey
2019/07/16 19:12:37 [INFO] Home directory for default CA: /Users/eliza/documents/ca-home/intermedia/ca2
2019/07/16 19:12:37 [INFO] Initialization was successful

ElizadeMacBook-Air:ca2 eliza$ fabric-ca-server start -b ca2:123456
2019/07/16 19:14:01 [INFO] Configuration file location: /Users/eliza/documents/ca-home/intermedia/ca2/fabric-ca-server-config.yaml
2019/07/16 19:14:01 [INFO] Starting server in home directory: /Users/eliza/documents/ca-home/intermedia/ca2
2019/07/16 19:14:01 [INFO] Server Version: 1.4.2-snapshot-d3e9c35
2019/07/16 19:14:01 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/07/16 19:14:01 [INFO] The CA key and certificate already exist
2019/07/16 19:14:01 [INFO] The key is stored by BCCSP provider 'SW'
2019/07/16 19:14:01 [INFO] The certificate is at: /Users/eliza/documents/ca-home/intermedia/ca2/ca-cert.pem
2019/07/16 19:14:01 [INFO] Initialized sqlite3 database at /Users/eliza/documents/ca-home/intermedia/ca2/fabric-ca-server.db
2019/07/16 19:14:01 [INFO] The Idemix issuer public and secret key files already exist
2019/07/16 19:14:01 [INFO]    secret key file location: /Users/eliza/documents/ca-home/intermedia/ca2/msp/keystore/IssuerSecretKey
2019/07/16 19:14:01 [INFO]    public key file location: /Users/eliza/documents/ca-home/intermedia/ca2/IssuerPublicKey
2019/07/16 19:14:01 [INFO] The Idemix issuer revocation public and secret key files already exist
2019/07/16 19:14:01 [INFO]    private key file location: /Users/eliza/documents/ca-home/intermedia/ca2/msp/keystore/IssuerRevocationPrivateKey
2019/07/16 19:14:01 [INFO]    public key file location: /Users/eliza/documents/ca-home/intermedia/ca2/IssuerRevocationPublicKey
2019/07/16 19:14:01 [INFO] Home directory for default CA: /Users/eliza/documents/ca-home/intermedia/ca2
2019/07/16 19:14:01 [INFO] Operation Server Listening on 127.0.0.1:9463
2019/07/16 19:14:01 [INFO] Listening on http://0.0.0.0:7074

1.4 驗(yàn)證intermediate CA和root CA的關(guān)系

查看文件目錄

.
├── client-home
├── intermedia
│   ├── ca1
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── ca-cert.pem
│   │   ├── ca-chain.pem
│   │   ├── fabric-ca-server-config.yaml
│   │   ├── fabric-ca-server.db
│   │   └── msp
│   │       ├── cacerts
│   │       ├── keystore
│   │       │   ├── IssuerRevocationPrivateKey
│   │       │   ├── IssuerSecretKey
│   │       │   └── f1a8ed738252f252be5b1010d38b851101a4bf47aea3012a3bec1ce134e4f62f_sk
│   │       ├── signcerts
│   │       └── user
│   └── ca2
│       ├── IssuerPublicKey
│       ├── IssuerRevocationPublicKey
│       ├── ca-cert.pem
│       ├── ca-chain.pem
│       ├── fabric-ca-server-config.yaml
│       ├── fabric-ca-server.db
│       └── msp
│           ├── cacerts
│           ├── keystore
│           │   ├── 12744eb79fd2f067add1619e7186bb9dec14da39214b605111e7b9d03412141e_sk
│           │   ├── 8edc78a0385603fed1abb76716caf9b2fd2eeb3232402e9edcdb28ffd80e2c9f_sk
│           │   ├── IssuerRevocationPrivateKey
│           │   └── IssuerSecretKey
│           ├── signcerts
│           └── user
└── root
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── ca-cert.pem
    ├── fabric-ca-server-config.yaml
    ├── fabric-ca-server.db
    └── msp
        └── keystore
            ├── 50664a3a04c5a7f354e88bbfdbda52051dc948f49ea5ffa79cf58423efedc52c_sk
            ├── IssuerRevocationPrivateKey
            └── IssuerSecretKey

17 directories, 27 files

中間CA比根CA多了一個ca-chain.pem證書文件。我們打開文件intermediateca/ca-chain.pem看一下,其內(nèi)容恰好包含兩個證書(root CA和intermediate CA)內(nèi)容,也就是證書鏈

<content of intermediateca/ca-cert.pem>
<content of rootca/ca-cert.pem>

再看一下他們的驗(yàn)證關(guān)系

ElizadeMacBook-Air:ca-home eliza$ openssl verify -verbose -CAfile root/ca-cert.pem intermedia/ca2/ca-cert.pem
intermedia/ca2/ca-cert.pem: OK
ElizadeMacBook-Air:ca-home eliza$ openssl verify -verbose -CAfile root/ca-cert.pem intermedia/ca2/ca-chain.pem
intermedia/ca2/ca-chain.pem: OK
ElizadeMacBook-Air:ca-home eliza$ openssl verify -verbose -CAfile intermedia/ca2/ca-cert.pem intermedia/ca2/ca-chain.pem
intermedia/ca2/ca-chain.pem: C = US, ST = North Carolina, O = Hyperledger, OU = client, CN = wyj
error 20 at 0 depth lookup:unable to get local issuer certificate
ElizadeMacBook-Air:ca-home eliza$ openssl verify -verbose -CAfile intermedia/ca2/ca-chain.pem intermedia/ca2/ca-cert.pem
intermedia/ca2/ca-cert.pem: OK

我們可以看到root節(jié)點(diǎn)的根證書,可以驗(yàn)證intermediate節(jié)點(diǎn)的根證書;也就說驗(yàn)證了intermediate節(jié)點(diǎn)的根證書是由root節(jié)點(diǎn)簽發(fā)的,他們形成證書鏈關(guān)系。

2 Fabric Client 操作

2.1 向intermediate CA注冊(register)和登記(enroll)用戶

以CA2為例

enroll admin

一個用戶必須先register到CA數(shù)據(jù)庫后才能enroll(生成證書)
因?yàn)槲覀冊诔跏蓟疌A2時已經(jīng)通過 -b 注冊了管理員ca2,所以我們可以直接enroll ca2

ElizadeMacBook-Air:ca2 eliza$ fabric-ca-client enroll  --url http://ca2:123456@localhost:7074 --home msp/user/admin
2019/07/16 19:29:29 [INFO] generating key: &{A:ecdsa S:256}
2019/07/16 19:29:29 [INFO] encoded CSR
2019/07/16 19:29:29 [INFO] Stored client certificate at /Users/eliza/.fabric-ca-client/msp/signcerts/cert.pem
2019/07/16 19:29:29 [INFO] Stored root CA certificate at /Users/eliza/.fabric-ca-client/msp/cacerts/localhost-7074.pem
2019/07/16 19:29:29 [INFO] Stored intermediate CA certificates at /Users/eliza/.fabric-ca-client/msp/intermediatecerts/localhost-7074.pem
2019/07/16 19:29:29 [INFO] Stored Issuer public key at /Users/eliza/.fabric-ca-client/msp/IssuerPublicKey
2019/07/16 19:29:29 [INFO] Stored Issuer revocation public key at /Users/eliza/.fabric-ca-client/msp/IssuerRevocationPublicKey

此時CA2的數(shù)據(jù)庫中會certificate表會多一條記錄


Screen Shot 2019-07-16 at 19.34.40.png

同時會生成一份fabric client配置文件和一整套證書

ElizadeMacBook-Air:ca2 eliza$ tree
.
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── ca-cert.pem
├── ca-chain.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
└── msp
    ├── cacerts
    ├── keystore
    │   ├── 12744eb79fd2f067add1619e7186bb9dec14da39214b605111e7b9d03412141e_sk
    │   ├── 8edc78a0385603fed1abb76716caf9b2fd2eeb3232402e9edcdb28ffd80e2c9f_sk
    │   ├── IssuerRevocationPrivateKey
    │   └── IssuerSecretKey
    ├── signcerts
    └── user
        └── admin
            ├── fabric-ca-client-config.yaml
            └── msp
                ├── IssuerPublicKey
                ├── IssuerRevocationPublicKey
                ├── cacerts
                │   └── localhost-7074.pem
                ├── intermediatecerts
                │   └── localhost-7074.pem
                ├── keystore
                │   └── 479a58b794006ac89fa3239989035d44536f02a9fb84c412e899af0bfce3c345_sk
                ├── signcerts
                │   └── cert.pem   // 保存在數(shù)據(jù)庫certificate中,字段pem
                └── user

register & enroll new user

ElizadeMacBook-Air:ca2 eliza$ fabric-ca-client register --home msp/user/admin --id.name tester2 --id.secret testpasswd --id.type user
ElizadeMacBook-Air:ca2 eliza$ fabric-ca-client enroll --home msp/user/tester2 --url http://tester2:testpasswd@localhost:7074

其中home必須是admin的根目錄地址

3 TLS

3.1 server

修改server配置文件,tls部分設(shè)置為true。

#############################################################################
#  TLS section for the server's listening port
#
#  The following types are supported for client authentication: NoClientCert,
#  RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
#  and RequireAndVerifyClientCert.
#
#  Certfiles is a list of root certificate authorities that the server uses
#  when verifying client certificates.
#############################################################################
tls:
  # Enable TLS (default: false)
  enabled: true
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

執(zhí)行

fabric-ca-server start -c fabric-ca-server-config.yaml -b wyj:123456

會看到系統(tǒng)中多出一份tls證書,且數(shù)據(jù)庫certificate表多了一條當(dāng)前機(jī)器的證書記錄


多了TLS的證書結(jié)構(gòu)
certificate表

但是筆者開啟TLS模式以后 使用client端enroll用戶總是會報錯,暫時沒有找到錯誤原因

常見的Fabric網(wǎng)絡(luò)證書生成都是tls一個fabric-ca-server,ECert采用另一個server

3.2 client

fabric-ca-client enroll --home msp/user/admin --url http://wyj:123456@localhost:8054
fabric-ca-client register --home msp/user/admin --id.name user1 --id.secret 123456 --id.type user
fabric-ca-client enroll --home msp/user/user1 --url http://user1:123456@localhost:8054
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容