fabric-ca学习的一次记录,其中来自https://blog.csdn.net/zhayujie5200/article/details/80221361的内容,也有自己遇到的问题和总结。
git clone源码然后checkout到1.1,看下使用的版本:
wang@wang:~/go/src/github.com/hyperledger/fabric-ca$ git branch
* release-1.1
release-1.4
之前使用的CA服务一直都是下载好的CA镜像,是运行在docker容器内的,在应用程序中通过Node SDK中集成的接口来访问CA服务器;
Fabric CA由服务端和客户端组件组成,CA服务端(fabric-ca-server)可以看作一个web服务,执行了Go代码编译成的二进制文件后会监听一个端口,出来收到的请求;
CA客户端(fabric-ca-client)就是一个想CA服务端发送请求的程序,执行编译生成的二进制文件并带上不同的参数,可以向CA服务器发送相应的http请求,完成相应操作。
fabric-ca中的三种证书类型:
(1)登记证书(ECert):对实体身份进行检验
(2)通信证书(TLSCert):保证通信链路安全,对远端身份校验
(3)交易证书(TCert):颁发给用户,控制每个交易的权限
安装libtool和libtdhl-dev
sudo apt install libtool libltdl-dev
wang@wang:~$ go version
go version go1.11.4 linux/amd64
环境变量:~/.bashrc文件中,顺便fabric-ca的环境变量也配置了
export GOROOT=/usr/local/go
export GOPATH=/home/wang/go
export PATH=$GOROOT/bin:$GOPATH/bin:$PATH:$GOPATH/src/github.com/hyperledger/fabric-ca/bin:$GOPATH/bin
wang@wang:~$ docker version
Client:
Version: 18.09.7
API version: 1.39
Go version: go1.10.4
Git commit: 2d0083d
Built: Wed Jul 3 13:38:22 2019
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 18.09.7
API version: 1.39 (minimum version 1.12)
Go version: go1.10.4
Git commit: 2d0083d
Built: Mon Jul 1 19:31:53 2019
OS/Arch: linux/amd64
Experimental: false
wang@wang:~$ docker-compose version
docker-compose version 1.12.0, build b31ff33
docker-py version: 2.2.1
CPython version: 2.7.13
OpenSSL version: OpenSSL 1.0.1t 3 May 2016
第一种方式,直接从github上下载并编译。go get命令会自动获取源码并编译至$GOPATH/bin,即目录中生成fabric-ca-server和fabric-ca-client可执行文件
go get -u github.com/hyperledger/fabric-ca/cmd/fabric-ca-server
go get -u github.com/hyperledger/fabric-ca/cmd/fabric-ca-client
如果这种方式包括下面的手动编译出现如下错误:
wang@wang:~/go/src/github.com/hyperledger/fabric-ca$ make fabric-ca-server
Building fabric-ca-server in bin directory ...
# github.com/hyperledger/fabric-ca/lib
lib/server.go:842:23: cert.Issuer.String undefined (type pkix.Name has no field or method String)
lib/server.go:843:24: cert.Subject.String undefined (type pkix.Name has no field or method String)
Makefile:115: recipe for target 'bin/fabric-ca-server' failed
make: *** [bin/fabric-ca-server] Error 2
wang@wang:~/go/src/github.com/hyperledger/fabric-ca$ go version
go version go1.9.2 linux/amd64
就是go的版本不够,需要提升go的版本,到https://golang.google.cn/dl/下载需要的版本:
wang@wang:/usr/local$ sudo rm -r go/
wang@wang:~/Desktop$ tar -C /usr/local -xzf go1.11.4.linux-amd64.tar.gz
wang@wang:~/Desktop$ vim ~/.bashrc
export GOROOT=/usr/local/go
wang@wang:~/Desktop$ source ~/.bashrc
wang@wang:~/Desktop$ go version
go version go1.11.4 linux/amd64
bashrc中加入:
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$HOME/go/bin
export PATH=$GOROOT/bin:$GOPATH/bin:$PATH:$GOPATH/src/github.com/hyperledger/fabric-ca/bin:$GOPATH/bin
第二种就手动编译:
git clone https://github.com/hyperledger/fabric-ca.git
git checkout v1.1.0
然后在…/fabric-ca/目录下进行编译:
make fabric-ca-server
make fabric-ca-client
编译会在…/fabric-ca/bin目录下生成fabric-ca-server和fabric-ca-client可执行文件。
第三种就是镜像的方式,直接拉取fabric-ca镜像或者通过源码编译生成镜像。
在fabric-ca目录下执行:
make docker
会四个镜像fabric-ca,fabric-ca-tool,fabric-ca-peer ,fabric-ca-orderer,镜像保存在…/fabric-ca/build/image中。
访问fabric ca服务端的方法有两种:通过客户端工具(fabric-ca-client)和RESTful接口,本质上,客户端工具也是通过调用服务端的RESTful接口实现的。这里采用客户端工具的方式。
1、初始化CA服务端。
fabric-ca-server init -b admin:adminpw
初始化后在目录下生成:
(1)msp :包含keystore,CA服务器的私钥
(2)ca-cert.pem :CA服务端的证书
(3)fabric-ca-server.db :CA默认使用的嵌入型数据库 SQLite
(4)fabric-ca-server-config.yaml :CA服务端的配置文件
2、启动CA服务器
fabric-ca-server start -b admin:adminpw
CA server开始监听,默认监听地址为http://0.0.0.0:7054。如果直接执行start命令则会自动先进行初始化init然后启动服务开始监听。
wang@wang:~/Desktop/test$ fabric-ca-server init -b admin:adminpw
2019/08/12 09:47:08 [INFO] Created default configuration file at /home/wang/Desktop/test/fabric-ca-server-config.yaml
2019/08/12 09:47:08 [INFO] Server Version: 1.1.1-snapshot-e656889
2019/08/12 09:47:08 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1}
2019/08/12 09:47:08 [INFO] generating key: &{A:ecdsa S:256}
2019/08/12 09:47:08 [INFO] encoded CSR
2019/08/12 09:47:08 [INFO] signed certificate with serial number 292404470089655627420367415153855791218266557617
2019/08/12 09:47:08 [INFO] The CA key and certificate were generated for CA
2019/08/12 09:47:08 [INFO] The key was stored by BCCSP provider 'SW'
2019/08/12 09:47:08 [INFO] The certificate is at: /home/wang/Desktop/test/ca-cert.pem
2019/08/12 09:47:09 [INFO] Initialized sqlite3 database at /home/wang/Desktop/test/fabric-ca-server.db
2019/08/12 09:47:09 [INFO] Home directory for default CA: /home/wang/Desktop/test
2019/08/12 09:47:09 [INFO] Initialization was successful
wang@wang:~/Desktop/test$ ls
ca-cert.pem fabric-ca-server-config.yaml fabric-ca-server.db msp
wang@wang:~/Desktop/test$ fabric-ca-server start -b admin:adminpw
2019/08/12 10:15:57 [INFO] Configuration file location: /home/wang/Desktop/test/fabric-ca-server-config.yaml
2019/08/12 10:15:57 [INFO] Starting server in home directory: /home/wang/Desktop/test
2019/08/12 10:15:57 [INFO] Server Version: 1.1.1-snapshot-e656889
2019/08/12 10:15:57 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1}
2019/08/12 10:15:57 [INFO] The CA key and certificate already exist
2019/08/12 10:15:57 [INFO] The key is stored by BCCSP provider 'SW'
2019/08/12 10:15:57 [INFO] The certificate is at: /home/wang/Desktop/test/ca-cert.pem
2019/08/12 10:15:57 [INFO] Initialized sqlite3 database at /home/wang/Desktop/test/fabric-ca-server.db
2019/08/12 10:15:57 [INFO] Home directory for default CA: /home/wang/Desktop/test
2019/08/12 10:15:57 [INFO] Listening on http://0.0.0.0:7054
2019/08/12 10:17:15 [INFO] signed certificate with serial number 560189872795647137412431714674731129681142082446
2019/08/12 10:17:15 [INFO] 127.0.0.1:52166 POST /enroll 201 0 "OK"
2019/08/12 10:23:02 [INFO] 127.0.0.1:52168 POST /register 201 0 "OK"
2019/08/12 10:23:41 [INFO] signed certificate with serial number 38775197031390892996209970653114866102608499231
2019/08/12 10:23:41 [INFO] 127.0.0.1:52170 POST /enroll 201 0 "OK"
3、注册admin用户
fabric-ca-client命令与服务端进行交互,包括5个子命令:
(1)enroll:登录获取ECert;
(2)getcacert:获取CA服务的证书链;
(3)reenroll:再次登录;
(4)register:注册用户实体;
(5)revoke:吊销签发的实体证书。
在另一个终端操作CA客户端。首先需要注册(enroll)启动时设置的管理员用户(init或则start的那个admin:adminpw),注册前需要设置证书存放目录的环境变量:(就是先生成一个管理员,用来给以后的用户进行登记时使用,然后设置管理员证书的目录)
wang@wang:~$ export FABRIC_CA_CLIENT_HOME=$HOME/Desktop/ca
wang@wang:~$ fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
2019/08/12 10:17:15 [INFO] Created a default configuration file at /home/wang/Desktop/ca/fabric-ca-client-config.yaml
2019/08/12 10:17:15 [INFO] generating key: &{A:ecdsa S:256}
2019/08/12 10:17:15 [INFO] encoded CSR
2019/08/12 10:17:15 [INFO] Stored client certificate at /home/wang/Desktop/ca/msp/signcerts/cert.pem
2019/08/12 10:17:15 [INFO] Stored root CA certificate at /home/wang/Desktop/ca/msp/cacerts/localhost-7054.pem
2019/08/12 10:17:15 [INFO] Stored intermediate CA certificates at /home/wang/Desktop/ca/msp/intermediatecerts/localhost-7054.pem
可以发现在设定的目录下生成了一个fabric-ca-client-config.yaml配置文件和 msp目录,该目录包含管理员的证书和私钥:
wang@wang:~/Desktop/ca$ ls
fabric-ca-client-config.yaml msp
wang@wang:~/Desktop/ca/msp$ ls
cacerts intermediatecerts keystore signcerts
wang@wang:~/Desktop/ca$ tree msp
msp
├── cacerts
│ └── localhost-7054.pem
├── intermediatecerts
│ └── localhost-7054.pem
├── keystore
│ └── 6ce3de2587e00a44d0fb5b311128e52d21dccdc49d68ac2d2aaa5c400cb76e5f_sk
└── signcerts
└── cert.pem
4 directories, 4 files
4、登记新用户
有了enroll成功的admin用户,接下来用admin作为登记员(Register)来登记(register)一个新用户;
客户端可以接收到一个注册密码,用这个密码进行注册(enroll)用户。
过程中服务端日志见上文。
wang@wang:~$ fabric-ca-client register --id.name Jim --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar'
2019/08/12 10:23:02 [INFO] Configuration file location: /home/wang/Desktop/ca/fabric-ca-client-config.yaml
Password: NNxStaEvxQyh
wang@wang:~$ fabric-ca-client enroll -u http://Jim:NNxStaEvxQyh@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/Jim
2019/08/12 10:23:41 [INFO] generating key: &{A:ecdsa S:256}
2019/08/12 10:23:41 [INFO] encoded CSR
2019/08/12 10:23:41 [INFO] Stored client certificate at /home/wang/Desktop/ca/Jim/signcerts/cert.pem
2019/08/12 10:23:41 [INFO] Stored root CA certificate at /home/wang/Desktop/ca/Jim/cacerts/localhost-7054.pem
2019/08/12 10:23:41 [INFO] Stored intermediate CA certificates at /home/wang/Desktop/ca/Jim/intermediatecerts/localhost-7054.pem
这样一个新用户就注册成功了,获取了属于自己的证书和私钥。
wang@wang:~/Desktop/ca$ cd Jim/
wang@wang:~/Desktop/ca/Jim$ ls
cacerts intermediatecerts keystore signcerts
wang@wang:~/Desktop/ca$ tree Jim
Jim
├── cacerts
│ └── localhost-7054.pem
├── intermediatecerts
│ └── localhost-7054.pem
├── keystore
│ └── 402e9ada1f0feeb644e2fc6a2aa4edaf4926a0deb211c68d69e74c6d43fb0c89_sk
└── signcerts
└── cert.pem
4 directories, 4 files
使用docker容器方式:
利用docker-compose.yaml文件来启动容器,配置文件在…/fabric-ca/docker/server中,进入该目录启动:
wang@wang:~/go/src/github.com/hyperledger/fabric-ca/docker/server$ docker-compose up
Starting fabric-ca-server
Attaching to fabric-ca-server
fabric-ca-server | 2019/08/12 03:22:38 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
fabric-ca-server | 2019/08/12 03:22:38 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
fabric-ca-server | 2019/08/12 03:22:38 [INFO] Server Version: 1.4.2
fabric-ca-server | 2019/08/12 03:22:38 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
fabric-ca-server | 2019/08/12 03:22:38 [INFO] The CA key and certificate already exist
fabric-ca-server | 2019/08/12 03:22:38 [INFO] The key is stored by BCCSP provider 'SW'
fabric-ca-server | 2019/08/12 03:22:38 [INFO] The certificate is at: /etc/hyperledger/fabric-ca-server/ca-cert.pem
fabric-ca-server | 2019/08/12 03:22:38 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db
fabric-ca-server | 2019/08/12 03:22:38 [INFO] The Idemix issuer public and secret key files already exist
fabric-ca-server | 2019/08/12 03:22:38 [INFO] secret key file location: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey
fabric-ca-server | 2019/08/12 03:22:38 [INFO] public key file location: /etc/hyperledger/fabric-ca-server/IssuerPublicKey
fabric-ca-server | 2019/08/12 03:22:38 [INFO] The Idemix issuer revocation public and secret key files already exist
fabric-ca-server | 2019/08/12 03:22:38 [INFO] private key file location: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey
fabric-ca-server | 2019/08/12 03:22:38 [INFO] public key file location: /etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey
fabric-ca-server | 2019/08/12 03:22:38 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server
fabric-ca-server | 2019/08/12 03:22:38 [INFO] Operation Server Listening on 127.0.0.1:9443
fabric-ca-server | 2019/08/12 03:22:38 [INFO] Listening on http://0.0.0.0:7054
上述步骤已经执行了’fabric-ca-server start -b admin:adminpw’命令,则进入容器内从注册admin开始就可以了。
wang@wang:~$ docker exec -it fabric-ca-server bash
root@aa54de8cc32d:/# export FABRIC_CA_CLIENT_HOME=$HOME/vong/ca
root@aa54de8cc32d:/# fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
2019/08/12 03:27:51 [INFO] Created a default configuration file at /root/vong/ca/fabric-ca-client-config.yaml
2019/08/12 03:27:51 [INFO] generating key: &{A:ecdsa S:256}
2019/08/12 03:27:51 [INFO] encoded CSR
2019/08/12 03:27:51 [INFO] Stored client certificate at /root/vong/ca/msp/signcerts/cert.pem
2019/08/12 03:27:51 [INFO] Stored root CA certificate at /root/vong/ca/msp/cacerts/localhost-7054.pem
2019/08/12 03:27:51 [INFO] Stored Issuer public key at /root/vong/ca/msp/IssuerPublicKey
2019/08/12 03:27:51 [INFO] Stored Issuer revocation public key at /root/vong/ca/msp/IssuerRevocationPublicKey
admin用户的证书位置:
root@aa54de8cc32d:/# cd $HOME
root@aa54de8cc32d:~# ls
vong
root@aa54de8cc32d:~# cd vong/ca/
root@aa54de8cc32d:~/vong/ca# ls
fabric-ca-client-config.yaml msp
继续后续步骤,用admin用户登记新用户生成注册密码,用注册密码进行注册新用户:
root@aa54de8cc32d:~/vong/ca# cd /
root@aa54de8cc32d:/# fabric-ca-client register --id.name Jim --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar'
2019/08/12 03:32:04 [INFO] Configuration file location: /root/vong/ca/fabric-ca-client-config.yaml
Password: ltWGpBhetRjb
root@aa54de8cc32d:/# fabric-ca-client enroll -u http://Jim:ltWGpBhetRjb@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/Jim
2019/08/12 03:32:36 [INFO] generating key: &{A:ecdsa S:256}
2019/08/12 03:32:36 [INFO] encoded CSR
2019/08/12 03:32:36 [INFO] Stored client certificate at /root/vong/ca/Jim/signcerts/cert.pem
2019/08/12 03:32:36 [INFO] Stored root CA certificate at /root/vong/ca/Jim/cacerts/localhost-7054.pem
2019/08/12 03:32:36 [INFO] Stored Issuer public key at /root/vong/ca/Jim/IssuerPublicKey
2019/08/12 03:32:36 [INFO] Stored Issuer revocation public key at /root/vong/ca/Jim/IssuerRevocationPublicKey
Jim用户的证书:
root@aa54de8cc32d:~/vong/ca/Jim# ls
IssuerPublicKey IssuerRevocationPublicKey cacerts keystore signcerts user
在完成使用admin用户登记然后注册了新的用户之后,打开init CA服务时生成的fabric-ca-server.db 文件,看一下sqlite数据库里面的数据:
wang@wang:~/Desktop/test$ sqlite3 fabric-ca-server.db
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> .tables
affiliations certificates properties users
sqlite> select * from certificates;
admin|621fc85d25d95780a2de4cdcd2dfead98fbfeb8e|3ffc28d5fe1b54230f481ed553f51825d74c747f||good|0|2020-08-11 02:17:00+00:00|0001-01-01 00:00:00+00:00|-----BEGIN CERTIFICATE-----
MIICNzCCAd6gAwIBAgIUYh/IXSXZV4Ci3kzc0t/q2Y+/644wCgYIKoZIzj0EAwIw
aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt
Y2Etc2VydmVyMB4XDTE5MDgxMjAyMTIwMFoXDTIwMDgxMTAyMTcwMFowXTELMAkG
A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl
cmxlZGdlcjEPMA0GA1UECxMGY2xpZW50MQ4wDAYDVQQDEwVhZG1pbjBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABHdG/t15ZXKevdsvdC/KpJ2MLYOCbBvxNrR2e/xk
mN0juCiNOXEc8y4FKJTXMXsKYRkL0JDpJk8wm611j69S7a2jcTBvMA4GA1UdDwEB
/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR0cjG+3wRr3v5vcS7K+iiA
XCFGlDAfBgNVHSMEGDAWgBQ//CjV/htUIw9IHtVT9Rgl10x0fzAPBgNVHREECDAG
ggR3YW5nMAoGCCqGSM49BAMCA0cAMEQCIDOiul8bMxAIa9/dSZ+2qE5VsFIiO0DF
Jm7N0Z05X3+FAiBwRrZ1GXSASQcG98QSILATq9w9OFKgH6SCFTOoukDUSQ==
-----END CERTIFICATE-----
|1
Jim|6cabd6ea7f313d8f10e54db75e545f6300a921f|3ffc28d5fe1b54230f481ed553f51825d74c747f||good|0|2020-08-11 02:24:00+00:00|0001-01-01 00:00:00+00:00|-----BEGIN CERTIFICATE-----
MIICvDCCAmOgAwIBAgIUBsq9bqfzE9jxDlTbdeVF9jAKkh8wCgYIKoZIzj0EAwIw
aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt
Y2Etc2VydmVyMB4XDTE5MDgxMjAyMTkwMFoXDTIwMDgxMTAyMjQwMFowejELMAkG
A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl
cmxlZGdlcjEuMAsGA1UECxMEdXNlcjALBgNVBAsTBG9yZzEwEgYDVQQLEwtkZXBh
cnRtZW50MTEMMAoGA1UEAxMDSmltMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
kezfy2M7t8jl8G6IoZhutX4BHHFawJ0YGuhTbxMYJUN+FYvQIiQySAQNeb59hfET
OM5ffFCa+7GmNu2ic6rJDaOB2DCB1TAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQU2zJ9UK9BR80heia/nfnKbw08rw4wHwYDVR0jBBgwFoAU
P/wo1f4bVCMPSB7VU/UYJddMdH8wDwYDVR0RBAgwBoIEd2FuZzBkBggqAwQFBgcI
AQRYeyJhdHRycyI6eyJoZi5BZmZpbGlhdGlvbiI6Im9yZzEuZGVwYXJ0bWVudDEi
LCJoZi5FbnJvbGxtZW50SUQiOiJKaW0iLCJoZi5UeXBlIjoidXNlciJ9fTAKBggq
hkjOPQQDAgNHADBEAiAyV9t6kl5Q/7XyZ22LHOWvuQU52au+zuMDTRvgOBv+egIg
ZS/6Ye8KW3h/yTRQp+gn1d2ilPKkS8l1KWxYlu3OKMM=
-----END CERTIFICATE-----
|1
sqlite> select * from properties;
identity.level|1
affiliation.level|1
certificate.level|1
sqlite> select * from affiliations;
org2||1
org2.department1|org2|1
org1||1
org1.department1|org1|1
org1.department2|org1|1
sqlite> select * from users;
admin|$2a$10$2J1URUPfMpsVNvB5ApU2nefFrWu.UnmBmuAw5Rn4FV2Hf5iCyVnFq|client||[{"name":"hf.Registrar.Attributes","value":"*"},{"name":"hf.AffiliationMgr","value":"1"},{"name":"hf.Registrar.Roles","value":"peer,orderer,client,user"},{"name":"hf.Registrar.DelegateRoles","value":"peer,orderer,client,user"},{"name":"hf.Revoker","value":"1"},{"name":"hf.IntermediateCA","value":"1"},{"name":"hf.GenCRL","value":"1"}]|1|-1|1
Jim|$2a$10$CWZAQ.WNHFca9Ej0flVb1ubG9laxvPRGRPdvWZDh4NrW0LFr4s4IO|user|org1.department1|[{"name":"hf.Revoker","value":"true"},{"name":"foo","value":"bar"},{"name":"hf.EnrollmentID","value":"Jim","ecert":true},{"name":"hf.Type","value":"user","ecert":true},{"name":"hf.Affiliation","value":"org1.department1","ecert":true}]|1|-1|1
wang@wang:~/Desktop/ca$ fabric-ca-client --help
wang@wang:~/Desktop/ca$ fabric-ca-client affiliation --help
wang@wang:~/Desktop/ca$ fabric-ca-client affiliation list
affiliation: .
affiliation: org2
affiliation: org2.department1
affiliation: org1
affiliation: org1.department1
affiliation: org1.department2
wang@wang:~/Desktop/ca$ fabric-ca-client identity --help
wang@wang:~/Desktop/ca$ fabric-ca-client identity list
Name: admin, Type: client, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.Registrar.Attributes Value:* ECert:false} {Name:hf.AffiliationMgr Value:1 ECert:false} {Name:hf.Registrar.Roles Value:peer,orderer,client,user ECert:false} {Name:hf.Registrar.DelegateRoles Value:peer,orderer,client,user ECert:false} {Name:hf.Revoker Value:1 ECert:false} {Name:hf.IntermediateCA Value:1 ECert:false} {Name:hf.GenCRL Value:1 ECert:false}]
Name: Jim, Type: user, Affiliation: org1.department1, Max Enrollments: -1, Attributes: [{Name:hf.Revoker Value:true ECert:false} {Name:foo Value:bar ECert:false} {Name:hf.EnrollmentID Value:Jim ECert:true} {Name:hf.Type Value:user ECert:true} {Name:hf.Affiliation Value:org1.department1 ECert:true}]