fabric-ca服务构建及证书生成

前言：

1、为了保证在网络通信过程中信息的安全性，fabric可以设置tls网络通信模式，这就需要我们来生成相关的数字签名证书。关于tls通信需要数字证书的原因以及通信过程，见tls安全网络传输

2、之前fabric的相关证书是我们手动用cryptogen命令来生成的，但是在实际的应用场景中，如果新增用户，这种方式肯定是不行的，我们需要用fabric-ca的方式来生成相关证书。

一、fabric-ca服务的启动

1、fabric-ca镜像

         在这里，我们使用docker的方式来启动fabric-ca服务，在启动之前，我们需要下载相关的镜像。

         我们直接下载hyperledger/fabric-ca:latest镜像，如下图所示：

         docker pull hyperledger/fabric-ca:latest

2、docker-compose.yaml

         我们这里启动三个CA服务，分别作为Org1，Org2，Orderer的CA，三个CA服务相互独立。编写docker-compose.yaml文件

         docker-compose-orderer.yaml

fabric-ca-server-orderer:
  image: hyperledger/fabric-ca:latest
  container_name: fabric-ca-server-orderer
  ports:
    - "9054:9054"
  environment:
    - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
    - FABRIC_CA_SERVER_PORT=9054
    - FABRIC_CA_SERVER_CA_NAME=ca-orderer
    - COMPOSE_PROJECT_NAME=ca-orderer
  volumes:
    - "./fabric-ca-server-orderer:/etc/hyperledger/fabric-ca-server"
  command: sh -c 'fabric-ca-server start -b admin:adminpw'

         docker-compose-org1.yaml

fabric-ca-server-org1:
  image: hyperledger/fabric-ca:latest
  container_name: fabric-ca-server-org1
  ports:
    - "7054:7054"
  environment:
    - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
    - FABRIC_CA_SERVER_PORT=7054
    - FABRIC_CA_SERVER_CA_NAME=ca-org1
    - COMPOSE_PROJECT_NAME=ca-org1
  volumes:
    - "./fabric-ca-server-org1:/etc/hyperledger/fabric-ca-server"
  command: sh -c 'fabric-ca-server start -b admin:adminpw'

         docker-compose-org2.yaml

fabric-ca-server-org2:
  image: hyperledger/fabric-ca:latest
  container_name: fabric-ca-server-org2
  ports:
    - "8054:8054"
  environment:
    - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
    - FABRIC_CA_SERVER_PORT=8054
    - FABRIC_CA_SERVER_CA_NAME=ca-org2
    - COMPOSE_PROJECT_NAME=ca-org2
  volumes:
    - "./fabric-ca-server-org2:/etc/hyperledger/fabric-ca-server"
  command: sh -c 'fabric-ca-server start -b admin:adminpw'

3、启动容器

docker-compose -f docker-compose-orderer.yml up -d
docker-compose -f docker-compose-org1.yml up -d
docker-compose -f docker-compose-org2.yml up -d

fabric-ca启动成功之后，在当前文件夹下会生成fabric-ca-server-org1，fabric-ca-server-org2，fabric-ca-server-orderer三个文件夹，里面分别存放的是org1-CA，org2-CA，orderer-CA的根证书(ca-cert.pem)和私钥(ff6a43faf30fefb3ddd47033e34318b93d580513eebc2bf0ca464f07f4ca01f4_sk)，目录结构如下：

二、生成证书

1、编译fabric-ca-client

        为了生成证书，我们需要fabric-ca-client命令。 我这边是手动进行编译的，下载fabric-ca源码，使用master分支即可。

        (1)、注意事项：

        由于是第一次使用golang语言开发的项目，发现hyperleger-fabric这个项目必须放在一个固定的目录，该项目必须放在golang的src/github.com/hyperledger目录下，同理，fabric-ca这个项目也必须放在这个目录下，否则编译将报错找不到相关的代码。

如下，我的golang的安装目录是：/home/zachen2/golang/go

           在golang的目录下有一个src目录，我们必须手动创建目录：src/github.com/hyperledger

           然后将fabric-ca的源码下载到src/github.com/hyperledger这个目录下，如下图所示：

          

       (2)、编译

       进入到fabric-ca目录，直接使用make fabric-ca-client命令进行编译。

      编译完成后，会在fabric-ca的bin目录下生成fabric-ca-client命令，如下图所示：

      

 

2、证书生成

• 作者的fabric网络节点架构如下：

        组织1：一个peer节点，一个Admin，一个User

        组织2：一个peer节点，一个Admin，一个User

        orderer：三个orderer节点，一个Admin

• 生成证书的命令如下：

• #!/bin/bash
  
  export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/
  
  ./fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 --caname ca-org1
  
  echo 'NodeOUs:
    Enable: true
    ClientOUIdentifier:
      Certificate: cacerts/localhost-7054-ca-org1.pem
      OrganizationalUnitIdentifier: client
    PeerOUIdentifier:
      Certificate: cacerts/localhost-7054-ca-org1.pem
      OrganizationalUnitIdentifier: peer
    AdminOUIdentifier:
      Certificate: cacerts/localhost-7054-ca-org1.pem
      OrganizationalUnitIdentifier: admin
    OrdererOUIdentifier:
      Certificate: cacerts/localhost-7054-ca-org1.pem
      OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml
  
  #组织1 peer0的msp证书
  ./fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"'
  
  ./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts aa,peer0.org1.example.com
  
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
  
  ./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts aa,peer0.org1.example.com
  
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
  
  mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt
  
  mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
  
  mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/ca
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
  
  #组织1 user的证书
  ./fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"'
  
  ./fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp  
  
  ./fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls  --enrollment.profile tls
  
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/ca.crt
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/client.crt
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/client.key
  
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp/config.yaml
  
  #组织1 admin的证书
  ./fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'
  
  ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp 
  
  ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls  --enrollment.profile tls 
  
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/ca.crt
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/client.crt
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/client.key
  
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp/config.yaml
  
  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/
  
  ./fabric-ca-client enroll -u http://admin:adminpw@localhost:8054 --caname ca-org2
  
  echo 'NodeOUs:
    Enable: true
    ClientOUIdentifier:
      Certificate: cacerts/localhost-8054-ca-org2.pem
      OrganizationalUnitIdentifier: client
    PeerOUIdentifier:
      Certificate: cacerts/localhost-8054-ca-org2.pem
      OrganizationalUnitIdentifier: peer
    AdminOUIdentifier:
      Certificate: cacerts/localhost-8054-ca-org2.pem
      OrganizationalUnitIdentifier: admin
    OrdererOUIdentifier:
      Certificate: cacerts/localhost-8054-ca-org2.pem
      OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml
  
  #组织2 peer0的msp证书
  ./fabric-ca-client register --caname ca-org2 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"'
  
  ./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --csr.hosts aa,peer0.org2.example.com
  
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp
  
  ./fabric-ca-client enroll -u http://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls --enrollment.profile tls --csr.hosts aa,peer0.org2.example.com
  
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key
  
  mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/ca.crt
  
  mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem
  
  mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/ca
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem
  
  #组织2 user的证书
  ./fabric-ca-client register --caname ca-org2 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"'
  
  ./fabric-ca-client enroll -u http://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/msp 
  
  ./fabric-ca-client enroll -u http://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls  --enrollment.profile tls 
  
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/ca.crt
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/client.crt
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/client.key
  
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/msp/config.yaml
  
  #组织2 admin的证书
  ./fabric-ca-client register --caname ca-org2 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'
  
  ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/msp 
  
  ./fabric-ca-client enroll -u http://org1admin:org1adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls  --enrollment.profile tls 
  
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/ca.crt
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/client.crt
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/tls/client.key
  
  cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/msp/config.yaml
  
  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com
  
  ./fabric-ca-client enroll -u http://admin:adminpw@localhost:9054 --caname ca-orderer
  
  echo 'NodeOUs:
    Enable: true
    ClientOUIdentifier:
      Certificate: cacerts/localhost-9054-ca-orderer.pem
      OrganizationalUnitIdentifier: client
    PeerOUIdentifier:
      Certificate: cacerts/localhost-9054-ca-orderer.pem
      OrganizationalUnitIdentifier: peer
    AdminOUIdentifier:
      Certificate: cacerts/localhost-9054-ca-orderer.pem
      OrganizationalUnitIdentifier: admin
    OrdererOUIdentifier:
      Certificate: cacerts/localhost-9054-ca-orderer.pem
      OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml
  #orderer的证书
  ./fabric-ca-client register --caname ca-orderer --id.name orderer --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'
  
  ./fabric-ca-client enroll -u http://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp --csr.hosts aa,orderer.example.com
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/config.yaml
  
  ./fabric-ca-client enroll -u http://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer.example.com
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key
  
  mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
  
  mkdir ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts/ca.crt
  
  
  
  #orderer2的证书
  ./fabric-ca-client register --caname ca-orderer --id.name orderer2 --id.secret orderer2pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'
  
  ./fabric-ca-client enroll -u http://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp --csr.hosts aa,orderer2.example.com
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/config.yaml
  
  ./fabric-ca-client enroll -u http://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer2.example.com
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/ca.crt
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.key
  
  mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
  
  
  #orderer3的证书
  ./fabric-ca-client register --caname ca-orderer --id.name orderer3 --id.secret orderer3pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"'
  
  ./fabric-ca-client enroll -u http://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp --csr.hosts aa,orderer3.example.com 
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/config.yaml
  
  ./fabric-ca-client enroll -u http://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls --enrollment.profile tls --csr.hosts aa,orderer3.example.com 
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/ca.crt
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.key
  
  mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
  
  
  #orderer admin的证书
  ./fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"'
  
  ./fabric-ca-client enroll -u http://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/msp 
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/msp/config.yaml
  
  ./fabric-ca-client enroll -u http://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/tls --enrollment.profile tls 
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/tls/ca.crt
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/tls/client.crt
  
  cp ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/tls/client.key
  
  
  
  

   

3、遇到的问题

        (1)、关于--csr.hosts参数的问题

                这个参数，我在网上查了一下，会生成到证书的X509v3 Subject Alternative Name中去，这个Subject Alternative Name的作用是说明了这张证书支持的域名，一个数字证书可以支持多个域名。

                在上面生成证书命令中，我把--csr.hosts的第一个域名都设置成了aa，原因是：

                1、如果我设置一个对应的域名(比如orderer.example.com)，这个域名会被我电脑的主机名给覆盖掉(暂时不知道原因)，到时Subject Alternative Name中的域名不正确。

                2、如果我把--csr.hosts设置成aa,orderer.example.com，那么他只会覆盖第一个域名aa，后面的域名orderer.example.com会正确保留下来，如下图：

反解证书的命令：openssl x509 --in server.crt -text

 图中红框里的就是Subject Alternative Name，可以看到并没有aa这个域名，是被zachen2-VirtualBox(我utuntu机器的主机名)给覆盖掉了。

 所以为了避免这个问题，我给所有的--csr.hosts的都加了一个aa的域名，防止我想要的域名给覆盖掉。

 (2)、上面生成证书的命令中，有很多是cp数据拷贝的命令，这些是必不可少的，不能省略。尤其是config.yaml文件的生成和拷贝过程是不可缺少的，不然在后面生成genesis.block的过程中会报错。