注意:以Fabric CA构建证书素材,注意每次enroll,证书都会更换
启动ca server,用于构建OrdererOrg的证书及client用户
server目录及启动如下
cd ~/work/example/ca/order/ca
fabric-ca-server start -b admin:adminpw --port 7054
cd ~/work/example/ca/order/ca_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
#orderer节点
fabric-ca-client register -d --id.name orderer.example.com --id.secret orderPW --id.type orderer -u http://0.0.0.0:7054
#OrdererOrg的组织管理员
fabric-ca-client register -d --id.name admin1 --id.secret orderPW --id.type client -u http://0.0.0.0:7054
orderer节点
cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://orderer.example.com:[email protected]:7054 -M .
admin账号
cd ~/work/example/organizations/ordererOrganizations/example.com/users/admin1/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin1:[email protected]:7054 -M .
mkdir admincerts
cp signcerts/cert.pem admincerts/
将admin放入orderer中
cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
mkdir admincerts
cp ../../../users/admin1/msp/signcerts/cert.pem admincerts/
cd ~/work/example/organizations/ordererOrganizations/example.com/msp/admincerts/
cp ../users/admin1/msp/signcerts/cert.pem .
cd ~/work/example/organizations/ordererOrganizations/example.com/msp/cacerts
cp ~/work/example/ca/order/ca/ca-cert.pem .
cd ~/work/example/ca/order/tls
fabric-ca-server start -b admin:adminpw --port 7055
cd ~/work/example/ca/order/tls_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7055
fabric-ca-client register -d --id.name orderer.example.com --id.secret orderPW --id.type orderer -u http://0.0.0.0:7055
fabric-ca-client register -d --id.name admin1 --id.secret orderPW --id.type client -u http://0.0.0.0:7055
首先完善OrdererOrg的msp
cd ~/work/example/organizations/ordererOrganizations/example.com/msp/tlscacerts
cp ~/work/example/ca/order/tls/ca-cert.pem .
分别获取orderer和admin的tls证书
cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls
export FABRIC_CA_CLIENT_HOME=$PWD
#注意下面务必加--csr.hosts,否则tls证书会出问题
fabric-ca-client enroll -u http://orderer.example.com:[email protected]:7055 -M $FABRIC_CA_CLIENT_HOME --csr.hosts orderer.example.com
mv keystore/* keystore/server.key
cd ~/work/example/organizations/ordererOrganizations/example.com/users/admin1/tls
export FABRIC_CA_CLIENT_HOME=$PWD
#注意加--csr.hosts
fabric-ca-client enroll -u http://admin1:[email protected]:7055 -M $FABRIC_CA_CLIENT_HOME --csr.hosts orderer.example.com
mv keystore/* keystore/server.key
cd ~/work/example/ca/org1/ca
fabric-ca-server start -b admin:adminpw --port 7056
cd ~/work/example/ca/org1/ca_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7056
fabric-ca-client register -d --id.name peer0.org1.example.com --id.secret peerPW --id.type peer --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7056
fabric-ca-client register -d --id.name [email protected] --id.secret peerPW --id.type client --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7056
cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://peer0.org1.example.com:[email protected]:7056 -M .
cd ~/work/example/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://[email protected]:[email protected]:7056 -M .
mkdir admincerts
cp signcerts/cert.pem admincerts/
在peer的msp中加入admin
cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
mkdir admincerts
cp ../../../users/[email protected]/msp/signcerts/cert.pem admincerts/
cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp
mkdir admincerts cacerts tlscacerts
cp ../users/[email protected]/msp/signcerts/cert.pem admincerts/
cp ~/work/example/ca/org1/ca/ca-cert.pem cacerts/
cd ~/work/example/ca/org1/tls
fabric-ca-server start -b admin:adminpw --port 7057
cd ~/work/example/ca/org1/tls_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7057
fabric-ca-client register -d --id.name peer0.org1.example.com --id.secret peerPW --id.type peer --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7057
fabric-ca-client register -d --id.name [email protected] --id.secret peerPW --id.type client --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7057
cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://peer0.org1.example.com:[email protected]:7057 -M . --csr.hosts peer0.org1.example.com
mv keystore/* keystore/server.key
cd ~/work/example/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://[email protected]:[email protected]:7057 -M . --csr.hosts peer0.org1.example.com
mv keystore/* keystore/server.key
cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp ~/work/example/ca/org1/tls/ca-cert.pem .
如果msp中没有config.yaml,可能导致peer和orderer通信不成功
cd ~/work/example/organizations/ordererOrganizations/example.com/msp
vim config.yaml
内容如下
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: orderer
cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
vim config.yaml
内容如下
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: orderer
cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp
vim config.yaml
内容如下
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: orderer
cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
vim config.yaml
内容如下
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: orderer
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/../organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/cacerts/0-0-0-0-7057.pem
export CORE_PEER_MSPCONFIGPATH=${PWD}/../organizations/peerOrganizations/org1.example.com/users/[email protected]/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export ORDERER_TLSCA=${PWD}/../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/cacerts/0-0-0-0-7055.pem