Fabric使用根CA管理组织CA

fabric-ca的root CA和Intermediate CA

1. 下载fabric-ca的镜像

# 这里使用的是1.4版本的fabric-ca
docker pull hyperledger/fabric-ca:1.4

2. 编辑要启动的根CA的docker-compose.yml文件

ca-root:
   image: hyperledger/fabric-ca:1.4
   container_name: ca-root
   ports:
     - "7054:7054"
   environment:
     - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
   volumes:
     - "/root/fabric-ca/rootcaserver:/etc/hyperledger/fabric-ca-server"
   command: sh -c 'fabric-ca-server start -b admin:adminpw --cfg.identities.allowremove --cfg.affiliations.allowremove'

3. 我们启动这个容器

docker-compose up -d ca-root

• 启动容器之后，我们进入在配置文件中给提前写好的映射目录，使用tree命令查看目录结构：
  
• ca-cert.pem 这是根CA的签名证书，自签发
• 94ced00344f8ab6868409931bab4932c7c25e5f8b071dab8bbc1f32b90b48fb1_sk是秘钥，签名用的
• 我们可以使用openssl查看证书的具体信息得到的内容如下所示：

openssl x509 -in ca-cert.pem -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            59:bb:83:44:f9:d8:b5:ca:c5:c7:5b:dd:7e:c6:bd:a1:1d:2f:a5:f9
    Signature Algorithm: ecdsa-with-SHA256
        # 签发证书方
        Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server
        # 证书的有效期
        Validity
            Not Before: Apr 20 05:31:00 2020 GMT
            Not After : Apr 17 05:31:00 2035 GMT
        # 证书的拥有方
        Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:f9:00:8b:11:af:96:95:21:9b:24:01:69:47:6b:
                    4f:10:15:b0:8d:8f:d8:1c:f8:63:41:c1:61:5c:07:
                    df:1a:b7:19:41:50:ca:49:ac:03:32:40:c8:24:74:
                    25:74:c5:04:fb:49:e5:3d:e3:cc:21:59:f3:98:13:
                    90:5f:0e:ff:27
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier: 
                97:5B:5B:D9:A0:FD:FF:A9:4C:F3:A7:AC:4D:8F:CB:ED:8B:0D:36:93
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:6e:8e:7a:5c:0b:7e:24:e5:33:98:87:9b:f6:82:
         80:33:5e:cb:52:1f:6e:80:5e:58:d3:16:a1:b7:1e:f7:71:86:
         02:20:7e:ba:18:d0:b3:1d:27:32:51:44:46:c9:79:94:90:ef:
         95:a2:28:ab:e3:a4:34:52:af:b3:8f:dc:29:93:de:5d

• 想要使用docker通过根CA启动一个中间CA，但是遇到了错误，还没有找到解决方法

Error: POST failure of request: POST http://localhost:7054/enroll
{"hosts":["5df0ef180af8","localhost"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBYTCCAQgCAQAwXTELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMQ4wDAYD\nVQQDEwVhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGr4wD78KxLrGfi1\nY8Oa1clOzPiPbQWVpxc9hZwETmqdTkEJCqTVMkjQNBw0/cc/svJq4vdo/mX/Y1DG\nv/fFEdqgSTBHBgkqhkiG9w0BCQ4xOjA4MCIGA1UdEQQbMBmCDDVkZjBlZjE4MGFm\nOIIJbG9jYWxob3N0MBIGA1UdEwEB/wQIMAYBAf8CAQAwCgYIKoZIzj0EAwIDRwAw\nRAIgUj/bFQzxcHsyGuBvXkKCu+wcVcRZJORcEZhQpdqwdtoCIA+HJbjrVKHqfzL/\nNNj81punRsBnpFEJblscKoK2MLwZ\n-----END CERTIFICATE REQUEST-----\n","profile":"ca","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://localhost:7054/enroll: dial tcp 127.0.0.1:7054: connect: connection refused

4. 启动一个中间CA

由于docker启动失败所以暂时用二进制文件代替：

# 注意在对应的文件夹下进行操作，否则就使用-M指定好，下面的一些操作同理
fabric-ca-server start -b admin:adminpw -p 7055 -u http://admin:adminpw@localhost:7054 -n org1 &

5. 我们enroll org1的管理员：

fabric-ca-client enroll --home ./org1caserver/admin --url http://admin:adminpw@localhost:7055

6. 查看生成的admin文件夹

.
├── admin
│   ├── fabric-ca-client-config.yaml
│   └── msp
│       ├── cacerts
│       │   └── localhost-7055.pem  # 根CA的证书
│       ├── intermediatecerts		# 组织CA的证书
│       │   └── localhost-7055.pem
│       ├── IssuerPublicKey
│       ├── IssuerRevocationPublicKey
│       ├── keystore
│       │   └── 734538187ba7bcc624b4bb6d4678c9da92d6ba9b3ec170f48ca4dae27e4e5f30_sk
│       ├── signcerts
│       │   └── cert.pem			# 两个CA共同签发的管理员证书
│       └── user
├── ca-cert.pem						# 组织CA的证书
├── ca-chain.pem					# 根CA的证书和组织CA的证书
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
└── msp
    ├── cacerts
    ├── keystore
    │   ├── 57bc2ac30c5edb4a99eca50ac608b2d612c900192796102b6295227df5997d4b_sk
    │   ├── IssuerRevocationPrivateKey
    │   └── IssuerSecretKey
    ├── signcerts
    └── user

• 我们发现在admin下的msp中有两个证书的文件夹。他们分别是组织CA和根CA的证书。而signcerts下是管理员的证书
• 这里的管理员证书需要由根CA和中间CA共同签发：
• 验证：

openssl verify -verbose -CAfile ./admin/msp/cacerts/localhost-7055.pem -untrusted ./admin/msp/intermediatecerts/localhost-7055.pem ./admin/msp/signcerts/cert.pem

/admin/msp/intermediatecerts/localhost-7055.pem ./admin/msp/signcerts/cert.pem