使用Fabric CA从头创建 Hyperledger Fabric所需的证书

注意:以Fabric CA构建证书素材,注意每次enroll,证书都会更换

一、OrdererOrg的证书

1.启动节点和账号的Fabric ca server

启动ca server,用于构建OrdererOrg的证书及client用户

server目录及启动如下

cd ~/work/example/ca/order/ca
fabric-ca-server start  -b admin:adminpw --port 7054

2.登陆admin客户端

cd ~/work/example/ca/order/ca_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

3.注册账号

#orderer节点
fabric-ca-client register -d --id.name orderer.example.com --id.secret orderPW --id.type orderer -u http://0.0.0.0:7054
#OrdererOrg的组织管理员
fabric-ca-client register -d --id.name admin1 --id.secret orderPW --id.type client -u http://0.0.0.0:7054

4.获取orderer节点和管理员admin1的证书

orderer节点

cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://orderer.example.com:[email protected]:7054 -M .

admin账号

cd ~/work/example/organizations/ordererOrganizations/example.com/users/admin1/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin1:[email protected]:7054 -M .
mkdir admincerts
cp signcerts/cert.pem admincerts/

将admin放入orderer中

cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
mkdir admincerts
cp ../../../users/admin1/msp/signcerts/cert.pem admincerts/

5.生成OrdererOrg的msp

cd ~/work/example/organizations/ordererOrganizations/example.com/msp/admincerts/
cp ../users/admin1/msp/signcerts/cert.pem .

cd ~/work/example/organizations/ordererOrganizations/example.com/msp/cacerts
cp ~/work/example/ca/order/ca/ca-cert.pem .

6.启动tls server

cd ~/work/example/ca/order/tls
fabric-ca-server start  -b admin:adminpw --port 7055

7.注册tls账号

cd ~/work/example/ca/order/tls_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7055

fabric-ca-client register -d --id.name orderer.example.com --id.secret orderPW --id.type orderer -u http://0.0.0.0:7055
fabric-ca-client register -d --id.name admin1 --id.secret orderPW --id.type client -u http://0.0.0.0:7055

8.获取tls证书

首先完善OrdererOrg的msp

cd ~/work/example/organizations/ordererOrganizations/example.com/msp/tlscacerts
cp ~/work/example/ca/order/tls/ca-cert.pem .

分别获取orderer和admin的tls证书

cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls
export FABRIC_CA_CLIENT_HOME=$PWD
#注意下面务必加--csr.hosts,否则tls证书会出问题
fabric-ca-client enroll -u http://orderer.example.com:[email protected]:7055 -M $FABRIC_CA_CLIENT_HOME --csr.hosts orderer.example.com
mv keystore/* keystore/server.key
cd ~/work/example/organizations/ordererOrganizations/example.com/users/admin1/tls
export FABRIC_CA_CLIENT_HOME=$PWD
#注意加--csr.hosts
fabric-ca-client enroll -u http://admin1:[email protected]:7055 -M $FABRIC_CA_CLIENT_HOME --csr.hosts orderer.example.com
mv keystore/* keystore/server.key

二、Org1的证书

1.启动节点和账号的Fabric ca server

cd ~/work/example/ca/org1/ca
fabric-ca-server start  -b admin:adminpw --port 7056

2.登陆admin并注册账号

cd ~/work/example/ca/org1/ca_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7056
fabric-ca-client register -d --id.name peer0.org1.example.com --id.secret peerPW  --id.type peer --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7056
fabric-ca-client register -d --id.name [email protected] --id.secret peerPW  --id.type client --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7056

3.获取peer节点和管理员证书

cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://peer0.org1.example.com:[email protected]:7056 -M .
cd ~/work/example/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://[email protected]:[email protected]:7056 -M .
mkdir admincerts
cp signcerts/cert.pem admincerts/

在peer的msp中加入admin

cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
mkdir admincerts 
cp ../../../users/[email protected]/msp/signcerts/cert.pem admincerts/

4.创建org1的msp

cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp
mkdir admincerts cacerts tlscacerts
cp ../users/[email protected]/msp/signcerts/cert.pem admincerts/
cp ~/work/example/ca/org1/ca/ca-cert.pem cacerts/

5.启动org1的tls Fabric CA server

cd ~/work/example/ca/org1/tls
fabric-ca-server start  -b admin:adminpw --port 7057

6.登陆tls server的admin并注册账号

cd ~/work/example/ca/org1/tls_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7057
fabric-ca-client register -d --id.name peer0.org1.example.com --id.secret peerPW  --id.type peer --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7057
fabric-ca-client register -d --id.name [email protected] --id.secret peerPW  --id.type client --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7057

7.获取账号的tls

cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://peer0.org1.example.com:[email protected]:7057 -M . --csr.hosts peer0.org1.example.com
mv keystore/* keystore/server.key
cd ~/work/example/organizations/peerOrganizations/org1.example.com/users/[email protected]/tls
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://[email protected]:[email protected]:7057 -M . --csr.hosts peer0.org1.example.com
mv keystore/* keystore/server.key

8.完善org1的msp

cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp ~/work/example/ca/org1/tls/ca-cert.pem .

三.在各个msp中增加config.yaml

如果msp中没有config.yaml,可能导致peer和orderer通信不成功

1.排序组织的config.yaml

cd ~/work/example/organizations/ordererOrganizations/example.com/msp
vim config.yaml
内容如下
NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/ca-cert.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/ca-cert.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/ca-cert.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/ca-cert.pem
    OrganizationalUnitIdentifier: orderer

2.排序组织的orderer节点中

cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
vim config.yaml
内容如下
NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/0-0-0-0-7054.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/0-0-0-0-7054.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/0-0-0-0-7054.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/0-0-0-0-7054.pem
    OrganizationalUnitIdentifier: orderer

3.组织org1的msp

cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp
vim config.yaml
内容如下
NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/ca-cert.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/ca-cert.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/ca-cert.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/ca-cert.pem
    OrganizationalUnitIdentifier: orderer

4.组织org1的peer节点

cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
vim config.yaml
内容如下
NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/0-0-0-0-7056.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/0-0-0-0-7056.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/0-0-0-0-7056.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/0-0-0-0-7056.pem
    OrganizationalUnitIdentifier: orderer

四、cli与链码等交互时的环境变量

export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/../organizations/peerOrganizations/org1.example.com/users/[email protected]/tls/cacerts/0-0-0-0-7057.pem
export CORE_PEER_MSPCONFIGPATH=${PWD}/../organizations/peerOrganizations/org1.example.com/users/[email protected]/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051

export ORDERER_TLSCA=${PWD}/../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/cacerts/0-0-0-0-7055.pem

 

你可能感兴趣的:(区块链,Hyperledger,Fabric)