fabric基础-Fabric-CA应用案例

2021-06-26

区块链 / Hyperledger Fabric

Word count: 2.3k | Reading time≈ 12 min

通过一套案例，演示Fabric CA在fabric网络中的应用

拓扑结构

本次案例拓扑结构：

总共3各组织，一个Orderer组织，两个Peer组织
1个根CA和3个隶属于根CA的中间CA
3个中间CA分别负责一个组织的证书生成等。
具体拓扑图如下所示

端口号分配

其中，tls表示为安全通信提供CA证书服务，可选，生产环境一般必须使用；operations.listenAddress为运维监听接口，用于监听维护ca节点：

1. RootCA：            prot：7054    operations.listenAddress：127.0.0.1:9443
2. IntermediaCA1：     prot：7055    operations.listenAddress：127.0.0.1:9444
3. IntermediaCAtls1：  prot：8055    operations.listenAddress：127.0.0.1:9445
4. IntermediaCA2：     prot：7056    operations.listenAddress：127.0.0.1:9446
5. IntermediaCAtls2：  prot：8056    operations.listenAddress：127.0.0.1:9447
6. IntermediaCA3：     prot：7057    operations.listenAddress：127.0.0.1:9448
7. IntermediaCAtls3：  prot：8057    operations.listenAddress：127.0.0.1:9449

CA服务初始化并启动

# RootCA初始化并启动（默认端口7054，运维监听127.0.0.1:9443）
./fabric-ca-server init -b admin:adminpw --home ./rootca
./fabric-ca-server start -b admin:adminpw --home ./rootca --cfg.affiliations.allowremove --cfg.identities.allowremove

# ca1
## IntermediaCA1初始化并启动（配置文件改端口为7055，运维监听127.0.0.1:9444）,中间CA通过-u关联根CA
./fabric-ca-server init -b admin1:adminpw1 --home ./intermediaca1 -u http://admin:adminpw@localhost:7054
./fabric-ca-server start -b admin1:adminpw1 --home ./intermediaca1 --cfg.affiliations.allowremove --cfg.identities.allowremove

## IntermediaCAtls1初始化并启动（配置文件改端口为8055，运维监听127.0.0.1:9445）
./fabric-ca-server init -b admin1:adminpw1 --home ./intermediacatls1 -u http://admin:adminpw@localhost:7054
./fabric-ca-server start -b admin1:adminpw1 --home ./intermediacatls1 --cfg.affiliations.allowremove --cfg.identities.allowremove

# ca2
## IntermediaCA2初始化并启动（配置文件改端口为7056，运维监听127.0.0.1:9446）
./fabric-ca-server init -b admin2:adminpw2 --home ./intermediaca2 -u http://admin:adminpw@localhost:7054
./fabric-ca-server start -b admin2:adminpw2 --home ./intermediaca2 --cfg.affiliations.allowremove --cfg.identities.allowremove

## IntermediaCAtls2初始化并启动（配置文件改端口为8056，运维监听127.0.0.1:9447）
./fabric-ca-server init -b admin2:adminpw2 --home ./intermediacatls2 -u http://admin:adminpw@localhost:7054
./fabric-ca-server start -b admin2:adminpw2 --home ./intermediacatls2 --cfg.affiliations.allowremove --cfg.identities.allowremove

# ca3
## IntermediaCA3初始化并启动（配置文件改端口为7057，运维监听127.0.0.1:9448）
./fabric-ca-server init -b admin3:adminpw3 --home ./intermediaca3 -u http://admin:adminpw@localhost:7054
./fabric-ca-server start -b admin3:adminpw3 --home ./intermediaca3 --cfg.affiliations.allowremove --cfg.identities.allowremove

## IntermediaCAtls3初始化并启动（配置文件改端口为8057，运维监听127.0.0.1:9449）
./fabric-ca-server init -b admin3:adminpw3 --home ./intermediacatls3 -u http://admin:adminpw@localhost:7054
./fabric-ca-server start -b admin3:adminpw3 --home ./intermediacatls3 --cfg.affiliations.allowremove --cfg.identities.allowremove

CA客户端生成证书

每个组织证书生成类似，这里以orderer组织的IntermediaCA1和IntermediaCAtls1生成的证书为例。

1. IntermediaCA1生成证书

生成jason.com的MSP

# 登记账户
./fabric-ca-client enroll -u http://admin1:adminpw1@localhost:7055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp 
# 查看组织
./fabric-ca-client  affiliation list -u http://admin1:adminpw1@localhost:7055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp
# 删除旧默认组织(org1 org2)
./fabric-ca-client  affiliation remove --force org1 -u http://admin1:adminpw1@localhost:7055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp
./fabric-ca-client  affiliation remove --force org2 -u http://admin1:adminpw1@localhost:7055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp
# 添加组织(com com.jason)
fabric-ca-client affiliation add com -u http://admin1:adminpw1@localhost:7055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp
fabric-ca-client affiliation add com.jason -u http://admin1:adminpw1@localhost:7055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp

生成[email protected]的MSP

# 注册[email protected]
./fabric-ca-client register -u http://admin1:adminpw1@localhost:7055 --id.name [email protected] --id.type client --id.affiliation "com.jason" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=jason.com --csr.hosts='jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp 
# 登记[email protected]
./fabric-ca-client enroll -u http://[email protected]:123456@localhost:7055 --csr.cn=jason.com --csr.hosts='jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/users/[email protected]/msp 
# 为[email protected]生成msp，就是专门为admin建立一份证书存放位置
mkdir ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/msp/admincerts
cp ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/msp/signcerts/cert.pem ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/msp/admincerts/
mkdir ./intermedia1/crypto_config/ordererOrganizations/jason.com/msp/admincerts
cp ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/msp/signcerts/cert.pem ./intermedia1/crypto_config/ordererOrganizations/jason.com/msp/admincerts/

生成orderer0.jason.com的MSP

# 注册orderer0.jason.com
./fabric-ca-client register -u http://admin1:adminpw1@localhost:7055 --id.name orderer0.jason.com --id.type orderer --id.affiliation "com.jason" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer0.jason.com --csr.hosts='orderer0.jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp 
# 登记orderer0.jason.com
./fabric-ca-client enroll -d -u http://orderer0.jason.com:123456@localhost:7055 --csr.cn=orderer0.jason.com --csr.hosts='orderer0.jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/orderers/orderer0.jason.com/msp 
# 生成MSP
mkdir ./intermedia1/crypto_config/ordererOrganizations/jason.com/orderers/orderer0.jason.com/msp/admincerts
cp ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/msp/signcerts/cert.pem ./intermedia1/crypto_config/ordererOrganizations/jason.com/orderers/orderer0.jason.com/msp/admincerts/

生成orderer1.jason.com的MSP
同上第3步，orderer0，只是将0变为1

# 注册orderer1.jason.com
./fabric-ca-client register -u http://admin1:adminpw1@localhost:7055 --id.name orderer1.jason.com --id.type orderer --id.affiliation "com.jason" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer1.jason.com --csr.hosts='orderer1.jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp 
# 登记orderer1.jason.com
./fabric-ca-client enroll -d -u http://orderer1.jason.com:123456@localhost:7055 --csr.cn=orderer1.jason.com --csr.hosts='orderer1.jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/orderers/orderer1.jason.com/msp 
# 生成MSP
mkdir ./intermedia1/crypto_config/ordererOrganizations/jason.com/orderers/orderer1.jason.com/msp/admincerts
cp ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/msp/signcerts/cert.pem ./intermedia1/crypto_config/ordererOrganizations/jason.com/orderers/orderer1.jason.com/msp/admincerts/

生成orderer2.jason.com的MSP
同上第3步，orderer0，只是将0变为2

# 注册orderer2.jason.com
./fabric-ca-client register -u http://admin1:adminpw1@localhost:7055 --id.name orderer2.jason.com --id.type orderer --id.affiliation "com.jason" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer2.jason.com --csr.hosts='orderer2.jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/msp 
# 登记orderer2.jason.com
./fabric-ca-client enroll -d -u http://orderer2.jason.com:123456@localhost:7055 --csr.cn=orderer2.jason.com --csr.hosts='orderer2.jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/orderers/orderer2.jason.com/msp 
# 生成MSP
mkdir ./intermedia1/crypto_config/ordererOrganizations/jason.com/orderers/orderer2.jason.com/msp/admincerts
cp ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/msp/signcerts/cert.pem ./intermedia1/crypto_config/ordererOrganizations/jason.com/orderers/orderer2.jason.com/msp/admincerts/

2. IntermediaCAtls1生成证书

生成jason.com的MSP

# 登记账户
./fabric-ca-client enroll -u http://admin1:adminpw1@localhost:8055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/tlstmp 
# 查看组织
./fabric-ca-client  affiliation list -u http://admin1:adminpw1@localhost:8055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/tlstmp
# 删除旧默认组织(org1 org2)
./fabric-ca-client  affiliation remove --force org1 -u http://admin1:adminpw1@localhost:8055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/tlstmp
./fabric-ca-client  affiliation remove --force org2 -u http://admin1:adminpw1@localhost:8055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/tlstmp
# 添加组织(com com.jason)
./fabric-ca-client affiliation add com -u http://admin1:adminpw1@localhost:8055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/tlstmp
./fabric-ca-client affiliation add com.jason -u http://admin1:adminpw1@localhost:8055 --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/tlstmp

生成[email protected]的TLS

# 注册[email protected]
./fabric-ca-client register -u http://admin1:adminpw1@localhost:8055 --id.name [email protected] --id.type client --id.affiliation "com.jason" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=jason.com --csr.hosts='jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/tlstmp
 
# 登记[email protected]
./fabric-ca-client enroll -d --enrollment.profile tls -u http://[email protected]:123456@localhost:8055 --csr.cn=jason.com --csr.hosts='jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/users/[email protected]/tlstmp 

# 为[email protected]生成tls，就是专门为admin建立一份证书存放位置。需要注意，tls证书需要从根ca中拷贝出ca-chain.pem到中间ca的指定位置
mkdir ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tls
cp ../intermediacatls1/ca-chain.pem ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tls/ca.crt
cp ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tlstmp/signcerts/cert.pem ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tls/client.crt
cp ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tlstmp/keystore/2c67df27fc1e0cb607d7195fe0938ae31aae4e9cfb2828c78f051495b5305d81_sk ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tls/client.key
cp -r ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tlstmp/tlscacerts ./intermedia1/crypto_config/ordererOrganizations/jason.com/msp
cp -r ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tlstmp/tlsintermediatecerts ./intermedia1/crypto_config/ordererOrganizations/jason.com/msp
rm -rf ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/[email protected]/tlstmp

生成orderer0.jason.com的TLS

# 注册orderer0.jason.com
./fabric-ca-client register -u http://admin1:adminpw1@localhost:8055 --id.name orderer0.jason.com --id.type orderer --id.affiliation "com.jason" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer0.jason.com --csr.hosts='orderer0.jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/tlstmp 

# 登记orderer0.jason.com
./fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer0.jason.com:123456@localhost:8055 --csr.cn=orderer0.jason.com --csr.hosts='orderer0.jason.com' --home ./intermedia1  -M ./crypto_config/ordererOrganizations/jason.com/users/[email protected]/tlstmp

# 生成MSP
mkdir ./intermedia1/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tls
cp ./intermediacatls1/ca-chain.pem ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tls/ca.crt
cp ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tlstmp/signcerts/cert.pem ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tls/client.crt
cp ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tlstmp/keystore/xxxxxxxx_sk ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tls/client.key
cp -r ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tlstmp/tlscacerts ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/msp
cp -r ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tlstmp/tlsintermediatecerts ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/msp
rm -rf ./fabric_ca_client/crypto_config/ordererOrganizations/jason.com/users/orderer0.jason.com/tlstmp

生成orderer1.jason.com的TLS
同上第3步，orderer0，只是将0变为1
生成orderer2.jason.com的TLS
同上第3步，orderer0，只是将0变为2

总结

本文根据网路拓扑展示了一个拥有中间CA的认证中心的部署方式，这里虽然只列了Orderer组织的CA部署方式，但其余组织的操作也基本都一样。

Donate

Copyright： Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.