Fabric使用根CA管理组织CA
fabric-ca的root CA和Intermediate CA
1. 下载fabric-ca的镜像
# 这里使用的是1.4版本的fabric-ca
docker pull hyperledger/fabric-ca:1.4
2. 编辑要启动的根CA的docker-compose.yml文件
ca-root:
image: hyperledger/fabric-ca:1.4
container_name: ca-root
ports:
- "7054:7054"
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
volumes:
- "/root/fabric-ca/rootcaserver:/etc/hyperledger/fabric-ca-server"
command: sh -c 'fabric-ca-server start -b admin:adminpw --cfg.identities.allowremove --cfg.affiliations.allowremove'
3. 我们启动这个容器
docker-compose up -d ca-root
- 启动容器之后,我们进入在配置文件中给提前写好的映射目录,使用tree命令查看目录结构:
- ca-cert.pem 这是根CA的签名证书,自签发
- 94ced00344f8ab6868409931bab4932c7c25e5f8b071dab8bbc1f32b90b48fb1_sk是秘钥,签名用的
- 我们可以使用openssl查看证书的具体信息得到的内容如下所示:
openssl x509 -in ca-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
59:bb:83:44:f9:d8:b5:ca:c5:c7:5b:dd:7e:c6:bd:a1:1d:2f:a5:f9
Signature Algorithm: ecdsa-with-SHA256
# 签发证书方
Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server
# 证书的有效期
Validity
Not Before: Apr 20 05:31:00 2020 GMT
Not After : Apr 17 05:31:00 2035 GMT
# 证书的拥有方
Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:f9:00:8b:11:af:96:95:21:9b:24:01:69:47:6b:
4f:10:15:b0:8d:8f:d8:1c:f8:63:41:c1:61:5c:07:
df:1a:b7:19:41:50:ca:49:ac:03:32:40:c8:24:74:
25:74:c5:04:fb:49:e5:3d:e3:cc:21:59:f3:98:13:
90:5f:0e:ff:27
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
97:5B:5B:D9:A0:FD:FF:A9:4C:F3:A7:AC:4D:8F:CB:ED:8B:0D:36:93
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:6e:8e:7a:5c:0b:7e:24:e5:33:98:87:9b:f6:82:
80:33:5e:cb:52:1f:6e:80:5e:58:d3:16:a1:b7:1e:f7:71:86:
02:20:7e:ba:18:d0:b3:1d:27:32:51:44:46:c9:79:94:90:ef:
95:a2:28:ab:e3:a4:34:52:af:b3:8f:dc:29:93:de:5d
- 想要使用docker通过根CA启动一个中间CA,但是遇到了错误,还没有找到解决方法
Error: POST failure of request: POST http://localhost:7054/enroll
{"hosts":["5df0ef180af8","localhost"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBYTCCAQgCAQAwXTELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMQ4wDAYD\nVQQDEwVhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGr4wD78KxLrGfi1\nY8Oa1clOzPiPbQWVpxc9hZwETmqdTkEJCqTVMkjQNBw0/cc/svJq4vdo/mX/Y1DG\nv/fFEdqgSTBHBgkqhkiG9w0BCQ4xOjA4MCIGA1UdEQQbMBmCDDVkZjBlZjE4MGFm\nOIIJbG9jYWxob3N0MBIGA1UdEwEB/wQIMAYBAf8CAQAwCgYIKoZIzj0EAwIDRwAw\nRAIgUj/bFQzxcHsyGuBvXkKCu+wcVcRZJORcEZhQpdqwdtoCIA+HJbjrVKHqfzL/\nNNj81punRsBnpFEJblscKoK2MLwZ\n-----END CERTIFICATE REQUEST-----\n","profile":"ca","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://localhost:7054/enroll: dial tcp 127.0.0.1:7054: connect: connection refused
4. 启动一个中间CA
由于docker启动失败所以暂时用二进制文件代替:
# 注意在对应的文件夹下进行操作,否则就使用-M指定好,下面的一些操作同理
fabric-ca-server start -b admin:adminpw -p 7055 -u http://admin:adminpw@localhost:7054 -n org1 &
5. 我们enroll org1的管理员:
fabric-ca-client enroll --home ./org1caserver/admin --url http://admin:adminpw@localhost:7055
6. 查看生成的admin文件夹
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── cacerts
│ │ └── localhost-7055.pem # 根CA的证书
│ ├── intermediatecerts # 组织CA的证书
│ │ └── localhost-7055.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 734538187ba7bcc624b4bb6d4678c9da92d6ba9b3ec170f48ca4dae27e4e5f30_sk
│ ├── signcerts
│ │ └── cert.pem # 两个CA共同签发的管理员证书
│ └── user
├── ca-cert.pem # 组织CA的证书
├── ca-chain.pem # 根CA的证书和组织CA的证书
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
└── msp
├── cacerts
├── keystore
│ ├── 57bc2ac30c5edb4a99eca50ac608b2d612c900192796102b6295227df5997d4b_sk
│ ├── IssuerRevocationPrivateKey
│ └── IssuerSecretKey
├── signcerts
└── user
- 我们发现在admin下的msp中有两个证书的文件夹。他们分别是组织CA和根CA的证书。而signcerts下是管理员的证书
- 这里的管理员证书需要由根CA和中间CA共同签发:
- 验证:
openssl verify -verbose -CAfile ./admin/msp/cacerts/localhost-7055.pem -untrusted ./admin/msp/intermediatecerts/localhost-7055.pem ./admin/msp/signcerts/cert.pem
/admin/msp/intermediatecerts/localhost-7055.pem ./admin/msp/signcerts/cert.pem