动机

1.Fabric网络的启动是依赖证书的,证书就是Fabric中的账号。

2.使用cryptogen模块尽管非常简单容易,但是想要接入现实的系统必须融入现有的证书体系。

3.使用openssl生成自认证证书;使用该证书启动fabric-ca;使用fabric-ca-client向fabric-ca申请peer节点证书。

openssl

(一)简介

openssl 是目前最流行的 SSL 密码库工具,其提供了一个通用、健壮、功能完备的工具套件,用以支持SSL/TLS 协议的实现。
官网:https://www.openssl.org/source/

1、构成部分

  1. 密码算法库
  2. 密钥和证书封装管理功能
  3. SSL通信API接口

2、用途

  1. 建立 RSA、DH、DSA key 参数
  2. 建立 X.509 证书、证书签名请求(CSR)和CRLs(证书回收列表)
  3. 计算消息摘要
  4. 使用各种 Cipher加密/解密
  5. SSL/TLS 客户端以及服务器的测试
  6. 处理S/MIME 或者加密邮件

(二)安装

openssl的安装有两种方式:

  1. 去openssl官网下载原版openssl按一套复杂的安装方式进行安装。
  2. 下载开源平台提供的工具,傻瓜式一键安装。

由于openssl只是一个工具,我没有理由给自己增加工作量,所以采用第二种方式。

  1. 下载openssl安装包,下载地址为 http://slproweb.com/products/Win32OpenSSL.html ,类型为 Windows 版本。解压后安装包名称为Win64OpenSSL_Light-1_1_1g.exe。
  2. 一路同意加下一步,直至安装完成。
  3. 添加环境变量。变量名称OPENSSL_HOME,变量路径C:\Program Files\OpenSSL-Win64\bin(openssl安装路径)。在系统环境变量path中添加%OPENSSL_HOME%。(这样做的目的在于,当我们在命令行中输入openssl时,计算机系统可以在path路径下找到可以解释执行该命令的应用程序。)
  4. 在cmd中输入openssl version输出openssl的版本名称说明安装成功。

(三)生成自签名证书

不确定fabric-ca能否支持其他类型的证书。所以生成证书的格式按照fabric-ca的证书格式。

  1. ECDSAP256,椭圆曲线加密,256位。
  2. —–BEGIN PRIVATE KEY—–,pkcs8格式。

1、生成SHA2,256位的椭圆曲线私钥

命令:openssl ecparam -genkey -name secp256r1 |openssl ec -out ca.key.pem

命令结果:

1
2
3
4
5
6
C:\Users\cups>openssl ecparam -genkey -name secp256r1 |openssl ec -out ca.key.pem
using curve name prime256v1 instead of secp256r1
read EC key
writing EC key

C:\Users\cups>

2、把私钥的格式转换为pkcs8格式

命令:openssl pkcs8 -topk8 -inform PEM -in ca.key.pem -outform PEM -nocrypt

命令结果:

1
2
3
4
5
6
7
8
C:\Users\cups>openssl pkcs8 -topk8 -inform PEM -in ca.key.pem -outform PEM -nocrypt -out ca.key.pem
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgttnLpyF/m2dNGMpk
w1sNOB1uxgH51wNNW/XH5m5zl5WhRANCAATYaqb/YzWIAnq3rrNYenc53OZKnaNz
LXieY6e3pGG4HTf4Zz9RE+ulifQ2Tg3+hB3Gcpu66LNefT75adpUFlDe
-----END PRIVATE KEY-----

C:\Users\cups>

将生成的pkcs8 格式的私钥,写入到C:\Users\cups\ca.key.pem。(应该有直接就能写入的方法,手动操作不增加工作量)。

3、生成自签名证书

命令:openssl req -config openssl.cnf -key ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out ca.cert.pem

命令结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
C:\Users\cups>openssl req -config openssl.cnf -key ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out ca.cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name [China]:
Locality Name []:
Organization Name [Hyperledger]:
Organizational Unit Name [Fabric]:
Common Name [fabric-ca-server]:
Email Address []:

C:\Users\cups>

openssl.cnf文件内容(位置在`C:\Users\cups\openssl.cnf,用于按照命令配置自认证证书的格式):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

req_extensions = v3_req

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = CN
stateOrProvinceName_default     = China
localityName_default            = 
0.organizationName_default      = Hyperledger
organizationalUnitName_default  = Fabric
commonName_default              = fabric-ca-server
emailAddress_default            = 

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = zhihu.com
DNS.2 = *.zhihu.com

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
basicConstraints = critical, CA:true, pathlen:1
subjectKeyIdentifier = hash
# authorityKeyIdentifier = keyid:always,issuer


[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
# subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

4、私钥对比

cryptogen模块生成的ca私钥:

1
2
3
4
5
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgTsWr0/P+JZIy8+oW
YqOFL5iG4Qt3CTDIU+GqmvLdDGqhRANCAATLe54N5LqkuB+2exEAHa4OE2jAbA9z
scCEnaxdK+19Y3wnmMELmVV/h+aBt5PJePAG8GpzNhP+XB3xwsdxKktx
-----END PRIVATE KEY-----

fabric-node-sdk申请的到的ca私钥:

1
2
3
4
5
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg59mH9KjWbkq9PxDv
ytdkLls2tLp35Pmj2w/bCzrNdcOhRANCAAQCbDNERQbkUwhOt6nZyKgMZaCSQs6R
rWFl/DmUP3tESz3MFWJt4ORGj3zuom1cjtNsKk0jJFoWZhKuWLIq1fD0
-----END PRIVATE KEY-----

使用openssl生成的私钥:

1
2
3
4
5
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgttnLpyF/m2dNGMpk
w1sNOB1uxgH51wNNW/XH5m5zl5WhRANCAATYaqb/YzWIAnq3rrNYenc53OZKnaNz
LXieY6e3pGG4HTf4Zz9RE+ulifQ2Tg3+hB3Gcpu66LNefT75adpUFlDe
-----END PRIVATE KEY-----

由以上对比可知私钥格式正确。

5、证书解析对比

将生成的ca.cert.pem和ca.key.pem,复制到ubuntu下使用命令:openssl x509 -in ca.cert.pem -noout -tex解析其内容。结果如下图。

若不给fabric-ca镜像配置启动的私钥和证书,他会自己生成一个(可以认为,这个证书的格式是可以启动fabric-ca的证书格式)。解析结果如下。

由以上对比可知自签名证书格式正确。

fabric-ca

1、文件组织

目录结构如下所示:

1
2
3
4
5
6
7
8
9
cups@ubuntu:~/Desktop/test$ tree	# 目录
.
├── ca								# 存储fabric-ca私钥公钥
│   ├── ca.cert.pem
│   └── ca.key.pem
└── docker-compose.yaml				# 启动fabric-ca的配置文件

1 directory, 3 files
cups@ubuntu:~/Desktop/test$

请自行创建相关文件。

2、fabric-ca的配置文件编写

配置文件docker-compose.yaml的内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
version: '2'
services:
  ca:
    container_name: ca
    image: hyperledger/fabric-ca
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_CA_NAME=ca
      - FABRIC_CA_SERVER_TLS_ENABLED=false
    ports:
      - "7054:7054"
    command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/ca.key.pem -b admin:adminpw -d'
    volumes:
      - ./ca/:/etc/hyperledger/fabric-ca-server-config

3、启动fabric-ca镜像

在docker-compose.yaml目录下打开镜像,或者当前目录切换到docker-compose.yaml所在目录。

命令:docker-compose -f docker-compose.yaml up

-f 指定配置文件路径;配置文件为docker-compose.yaml;动作是up。

执行结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
cups@ubuntu:~/Desktop/test$ docker-compose -f docker-compose.yaml up
Starting ca ... done
Attaching to ca
ca    | 2020/09/15 01:34:27 [DEBUG] Home directory: /etc/hyperledger/fabric-ca-server
ca    | 2020/09/15 01:34:27 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
ca    | 2020/09/15 01:34:27 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
ca    | 2020/09/15 01:34:27 [DEBUG] Set log level: 
ca    | 2020/09/15 01:34:27 [INFO] Server Version: 1.4.3
ca    | 2020/09/15 01:34:27 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
ca    | 2020/09/15 01:34:27 [DEBUG] Making server filenames absolute
ca    | 2020/09/15 01:34:27 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca-server
ca    | 2020/09/15 01:34:27 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {Version:1.4.3 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca Keyfile:/etc/hyperledger/fabric-ca-server-config/ca.key.pem Certfile:/etc/hyperledger/fabric-ca-server-config/ca.cert.pem Chainfile:ca-chain.pem} Signing:0xc0001cd4f0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[302115a9775b localhost] KeyRequest:0xc000542d60 CA:0xc000542de0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1]  }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }}  } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }}  } CSP:0xc0005425e0 Client:<nil> Intermediate:{ParentServer:{ URL: CAName:  } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
ca    | 2020/09/15 01:34:27 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server
ca    | 2020/09/15 01:34:27 [DEBUG] Checking configuration file version '1.4.3' against server version: '1.4.3'
ca    | 2020/09/15 01:34:27 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc000466400 PluginOpts:<nil>}
ca    | 2020/09/15 01:34:27 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc00018ef30 DummyKeystore:<nil> InmemKeystore:<nil>}
ca    | 2020/09/15 01:34:27 [DEBUG] Initialize key material
ca    | 2020/09/15 01:34:27 [DEBUG] Making CA filenames absolute
ca    | 2020/09/15 01:34:27 [INFO] The CA key and certificate files already exist
ca    | 2020/09/15 01:34:27 [INFO] Key file location: /etc/hyperledger/fabric-ca-server-config/ca.key.pem
ca    | 2020/09/15 01:34:27 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server-config/ca.cert.pem
ca    | 2020/09/15 01:34:27 [DEBUG] Validating the CA certificate and key
ca    | 2020/09/15 01:34:27 [DEBUG] Check CA certificate for valid dates
ca    | 2020/09/15 01:34:27 [DEBUG] Check CA certificate for valid usages
ca    | 2020/09/15 01:34:27 [DEBUG] Check CA certificate for valid IsCA value
ca    | 2020/09/15 01:34:27 [DEBUG] Check that key type is supported
ca    | 2020/09/15 01:34:27 [DEBUG] Check that key size is of appropriate length
ca    | 2020/09/15 01:34:27 [DEBUG] Check that public key and private key match
ca    | 2020/09/15 01:34:27 [DEBUG] Validation of CA certificate and key successful
ca    | 2020/09/15 01:34:27 [DEBUG] Loading CN from existing enrollment information
ca    | 2020/09/15 01:34:27 [DEBUG] Initializing DB
ca    | 2020/09/15 01:34:27 [DEBUG] Initializing 'sqlite3' database at '/etc/hyperledger/fabric-ca-server/fabric-ca-server.db'
ca    | 2020/09/15 01:34:27 [DEBUG] Using sqlite database, connect to database in home (/etc/hyperledger/fabric-ca-server/fabric-ca-server.db) directory
ca    | 2020/09/15 01:34:27 [DEBUG] Creating SQLite database (/etc/hyperledger/fabric-ca-server/fabric-ca-server.db) if it does not exist...
ca    | 2020/09/15 01:34:27 [DEBUG] Creating users table if it does not exist
ca    | 2020/09/15 01:34:27 [DEBUG] Creating affiliations table if it does not exist
ca    | 2020/09/15 01:34:27 [DEBUG] Creating certificates table if it does not exist
ca    | 2020/09/15 01:34:27 [DEBUG] Creating credentials table if it does not exist
ca    | 2020/09/15 01:34:27 [DEBUG] Creating revocation_authority_info table if it does not exist
ca    | 2020/09/15 01:34:27 [DEBUG] Creating nonces table if it does not exist
ca    | 2020/09/15 01:34:27 [DEBUG] Creating properties table if it does not exist
ca    | 2020/09/15 01:34:27 [DEBUG] Successfully opened sqlite3 DB
ca    | 2020/09/15 01:34:27 [DEBUG] Initializing identity registry
ca    | 2020/09/15 01:34:27 [DEBUG] Initialized DB identity registry
ca    | 2020/09/15 01:34:27 [DEBUG] Checking database levels '&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}' against server levels '&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}'
ca    | 2020/09/15 01:34:27 [DEBUG] Loading identity table
ca    | 2020/09/15 01:34:27 [DEBUG] Loading identity 'admin'
ca    | 2020/09/15 01:34:27 [DEBUG] DB: Getting identity admin
ca    | 2020/09/15 01:34:27 [DEBUG] Identity 'admin' already registered, loaded identity
ca    | 2020/09/15 01:34:27 [DEBUG] Successfully loaded identity table
ca    | 2020/09/15 01:34:27 [DEBUG] Loading affiliations table
ca    | 2020/09/15 01:34:27 [DEBUG] DB: Add affiliation org2
ca    | 2020/09/15 01:34:27 [DEBUG] Affiliation 'org2' already exists
ca    | 2020/09/15 01:34:27 [DEBUG] DB: Add affiliation org2.department1
ca    | 2020/09/15 01:34:27 [DEBUG] Affiliation 'org2.department1' already exists
ca    | 2020/09/15 01:34:27 [DEBUG] DB: Add affiliation org1
ca    | 2020/09/15 01:34:27 [DEBUG] Affiliation 'org1' already exists
ca    | 2020/09/15 01:34:27 [DEBUG] DB: Add affiliation org1.department1
ca    | 2020/09/15 01:34:27 [DEBUG] Affiliation 'org1.department1' already exists
ca    | 2020/09/15 01:34:27 [DEBUG] DB: Add affiliation org1.department2
ca    | 2020/09/15 01:34:27 [DEBUG] Affiliation 'org1.department2' already exists
ca    | 2020/09/15 01:34:27 [DEBUG] Successfully loaded affiliations table
ca    | 2020/09/15 01:34:27 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db
ca    | 2020/09/15 01:34:27 [DEBUG] Initializing enrollment signer
ca    | 2020/09/15 01:34:27 [DEBUG] validating configuration
ca    | 2020/09/15 01:34:27 [DEBUG] validate local profile
ca    | 2020/09/15 01:34:27 [DEBUG] profile is valid
ca    | 2020/09/15 01:34:27 [DEBUG] validate local profile
ca    | 2020/09/15 01:34:27 [DEBUG] profile is valid
ca    | 2020/09/15 01:34:27 [DEBUG] validate local profile
ca    | 2020/09/15 01:34:27 [DEBUG] profile is valid
ca    | 2020/09/15 01:34:27 [DEBUG] CA initialization successful
ca    | 2020/09/15 01:34:27 [DEBUG] Initializing Idemix issuer...
ca    | 2020/09/15 01:34:27 [INFO] The Idemix issuer public and secret key files already exist
ca    | 2020/09/15 01:34:27 [INFO]    secret key file location: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey
ca    | 2020/09/15 01:34:27 [INFO]    public key file location: /etc/hyperledger/fabric-ca-server/IssuerPublicKey
ca    | 2020/09/15 01:34:27 [DEBUG] Intializing revocation authority for issuer 'ca'
ca    | 2020/09/15 01:34:27 [DEBUG] Initialize Idemix issuer revocation key material
ca    | 2020/09/15 01:34:27 [INFO] The Idemix issuer revocation public and secret key files already exist
ca    | 2020/09/15 01:34:27 [INFO]    private key file location: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey
ca    | 2020/09/15 01:34:27 [INFO]    public key file location: /etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey
ca    | 2020/09/15 01:34:27 [DEBUG] Intializing nonce manager for issuer 'ca'
ca    | 2020/09/15 01:34:27 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server
ca    | 2020/09/15 01:34:27 [DEBUG] 1 CA instance(s) running on server
ca    | 2020/09/15 01:34:27 [INFO] Operation Server Listening on 127.0.0.1:9443
ca    | 2020/09/15 01:34:27 [INFO] Listening on http://0.0.0.0:7054

4、获取注册证书

使用管理员的账号密码—>fabric-ca-server—->注册证书。

指定证书目录:export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin

访问fabric-ca获得证书:fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

执行结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
cups@ubuntu:~/Desktop/test$ export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
cups@ubuntu:~/Desktop/test$ fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
2020/09/14 18:38:36 [INFO] Created a default configuration file at /home/cups/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2020/09/14 18:38:36 [INFO] generating key: &{A:ecdsa S:256}
2020/09/14 18:38:36 [INFO] encoded CSR
2020/09/14 18:38:36 [INFO] Stored client certificate at /home/cups/fabric-ca/clients/admin/msp/signcerts/cert.pem
2020/09/14 18:38:36 [INFO] Stored root CA certificate at /home/cups/fabric-ca/clients/admin/msp/cacerts/localhost-7054.pem
2020/09/14 18:38:36 [INFO] Stored Issuer public key at /home/cups/fabric-ca/clients/admin/msp/IssuerPublicKey
2020/09/14 18:38:36 [INFO] Stored Issuer revocation public key at /home/cups/fabric-ca/clients/admin/msp/IssuerRevocationPublicKey
cups@ubuntu:~/Desktop/test$ cd /home/cups/fabric-ca/clients/admin
cups@ubuntu:~/fabric-ca/clients/admin$ tree
.
├── fabric-ca-client-config.yaml
└── msp
    ├── cacerts
    │   └── localhost-7054.pem				# ca证书
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── keystore
    │   └── 3e1c4a697b91754e15a58bbf03b0cf70685209c0bc5623177a3c06cc9d3a98fb_sk# 私钥
    ├── signcerts
    │   └── cert.pem						# 证书
    └── user

5 directories, 6 files
cups@ubuntu:~/fabric-ca/clients/admin$

私钥:

1
2
3
4
5
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgy56nUOfyYJnHBZo0
5QOfXL2uqsThSVrFsALeaw6uEzihRANCAAQQyAWFNnjrdZeqHB4neLqS2CvJwUSD
dPsv90DYvn1mnsjkMOKvnSGu8kag3pZe8kz/V/N9oiizDG3V+QVH77iv
-----END PRIVATE KEY-----

证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
-----BEGIN CERTIFICATE-----
MIICMTCCAdegAwIBAgIUWxENL/cshDIfEePTfmjfaMsn0pQwCgYIKoZIzj0EAwIw
XzELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBUNoaW5hMRQwEgYDVQQKDAtIeXBlcmxl
ZGdlcjEPMA0GA1UECwwGRmFicmljMRkwFwYDVQQDDBBmYWJyaWMtY2Etc2VydmVy
MB4XDTIwMDkxNTAxMzQwMFoXDTIxMDkxNTAxMzkwMFowXTELMAkGA1UEBhMCVVMx
FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEP
MA0GA1UECxMGY2xpZW50MQ4wDAYDVQQDEwVhZG1pbjBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBDIBYU2eOt1l6ocHid4upLYK8nBRIN0+y/3QNi+fWaeyOQw4q+d
Ia7yRqDell7yTP9X832iKLMMbdX5BUfvuK+jczBxMA4GA1UdDwEB/wQEAwIHgDAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRT4BW5+I8m9l0T5Sio2XLeLmj0NDAfBgNV
HSMEGDAWgBT0bmfAQrUHf90oZ1W1qPANiZwDOzARBgNVHREECjAIggZ1YnVudHUw
CgYIKoZIzj0EAwIDSAAwRQIhAIJdWFplP+J0aE1t0dgUEXOIa2+KjnNCpmhzA0C6
gAlPAiBEBcRu/0oY0nxgvG5aZZQImVcap6A/rsldOM7uFDHefQ==
-----END CERTIFICATE-----

5、注册并获取一个peer证书

指定含有证书目录:export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin

登记peer0:fabric-ca-client register --id.name peer0 --id.type peer --id.affiliation org1.department1 --id.secret peer0pw

指定peer0证书目录:export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer0

注册peer0证书:fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp

执行结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
cups@ubuntu:~/Desktop/test$ export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
cups@ubuntu:~/Desktop/test$ fabric-ca-client register --id.name peer0 --id.type peer --id.affiliation org1.department1 --id.secret peer0pw
2020/09/14 18:48:26 [INFO] Configuration file location: /home/cups/fabric-ca/clients/admin/fabric-ca-client-config.yaml
Password: peer0pw
cups@ubuntu:~/Desktop/test$ export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer0
cups@ubuntu:~/Desktop/test$ fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp
2020/09/14 18:49:04 [INFO] Created a default configuration file at /home/cups/fabric-ca/clients/peer0/fabric-ca-client-config.yaml
2020/09/14 18:49:04 [INFO] generating key: &{A:ecdsa S:256}
2020/09/14 18:49:04 [INFO] encoded CSR
2020/09/14 18:49:04 [INFO] Stored client certificate at /home/cups/fabric-ca/clients/peer0/msp/signcerts/cert.pem
2020/09/14 18:49:04 [INFO] Stored root CA certificate at /home/cups/fabric-ca/clients/peer0/msp/cacerts/localhost-7054.pem
2020/09/14 18:49:04 [INFO] Stored Issuer public key at /home/cups/fabric-ca/clients/peer0/msp/IssuerPublicKey
2020/09/14 18:49:04 [INFO] Stored Issuer revocation public key at /home/cups/fabric-ca/clients/peer0/msp/IssuerRevocationPublicKey
cups@ubuntu:~/Desktop/test$ cd /home/cups/fabric-ca/clients/peer0
cups@ubuntu:~/fabric-ca/clients/peer0$ tree
.
├── fabric-ca-client-config.yaml
└── msp
    ├── cacerts
    │   └── localhost-7054.pem													# ca证书
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── keystore
    │   └── ab887f7d2829a0fdf48efb3b14782ae67ce8aabdca0c38b0aa79ab7c2803f946_sk	# 私钥
    ├── signcerts
    │   └── cert.pem															# 证书
    └── user

5 directories, 6 files
cups@ubuntu:~/fabric-ca/clients/peer0$

查看fabric-ca镜像

查看:docker ps

执行结果:

1
2
3
4
cups@ubuntu:~/Desktop/test$ docker ps
CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                    NAMES
302115a9775b        hyperledger/fabric-ca   "sh -c 'fabric-ca-se…"   14 hours ago        Up 20 minutes       0.0.0.0:7054->7054/tcp   ca
cups@ubuntu:~/Desktop/test$

进入docker镜像:docker exec -it 302115a9775b /bin/bash

进入fabric-ca-server工作目录:cd /etc/hyperledger/fabric-ca-server

1
2
3
4
5
6
7
cups@ubuntu:~/Desktop/test$ docker exec -it 302115a9775b /bin/bash
root@302115a9775b:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@302115a9775b:/# cd /etc/hyperledger/fabric-ca-server
root@302115a9775b:/etc/hyperledger/fabric-ca-server# ls
IssuerPublicKey  IssuerRevocationPublicKey  ca-cert.pem  ca-key.pem  fabric-ca-server-config.yaml  fabric-ca-server.db  msp
root@302115a9775b:/etc/hyperledger/fabric-ca-server#

ctrl+D退出伪终端。

把镜像中的fabric-ca-server.db复制出来:docker container cp 302115a9775b:/etc/hyperledger/fabric-ca-server/fabric-ca-server.db ./

查看fabric-ca-server.db内容。