Hyperledger Fabric 二进制文件启动 Org1 组织 CA
部署 Org1 TLS CA
./fabric-ca-server init -b tlscaadmin:tlscaadminpw
修改 fabric-ca-server-config.yaml 配置文件
启动 Org1 TLS CA
nohup ./fabric-ca-server start > org1-tls-ca.log 2>&1 &
tail -f org1-tls-ca.log
2022/03/08 21:49:43 [INFO] The Idemix issuer revocation public and secret key files already exist
2022/03/08 21:49:43 [INFO] private key file location: /usr/project/fabric-ca/org1-ca/tls-ca/msp/keystore/IssuerRevocationPrivateKey
2022/03/08 21:49:43 [INFO] public key file location: /usr/project/fabric-ca/org1-ca/tls-ca/IssuerRevocationPublicKey
2022/03/08 21:49:43 [DEBUG] Intializing nonce manager for issuer 'org1-tls-ca'
2022/03/08 21:49:43 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/tls-ca
2022/03/08 21:49:43 [DEBUG] 1 CA instance(s) running on server
2022/03/08 21:49:43 [INFO] Operation Server Listening on
2022/03/08 21:49:43 [DEBUG] TLS is enabled
2022/03/08 21:49:43 [DEBUG] Client authentication type requested: noclientcert
2022/03/08 21:49:43 [INFO] Listening on
使用 TLS CA 登记引导用户
./fabric-ca-client enroll -d -u https://tlscaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts ',*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp
2022/03/08 22:14:41 [DEBUG] newEnrollmentResponse root
2022/03/08 22:14:41 [INFO] Stored client certificate at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/signcerts/cert.pem
2022/03/08 22:14:41 [INFO] Stored TLS root CA certificate at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:14:41 [INFO] Stored Issuer public key at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/IssuerPublicKey
2022/03/08 22:14:41 [INFO] Stored Issuer revocation public key at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/IssuerRevocationPublicKey
生成 MSP 结构如下:
└── msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 1a3605866a5278e63c77a0f1025c86e4cace230cf22d3cc76558462c4b4aacc1_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-tlsca-org1-example-com-7054.pem
└── user
向 TLS CA 注册和登记组织 CA 引导标识
TLS CA 服务器以具有服务器完全管理员权限的引导身份启动。管理员的一项关键能力是注册新身份的能力。组织中在网络上进行交易的每个节点都需要向 TLS CA 注册。因此,在我们设置组织 CA 之前,我们需要使用 TLS CA 来注册和注册组织 CA 引导身份,以获取其 TLS 证书和私钥。
./fabric-ca-client register -d --id.name rootcaadmin --id.secret rootcaadminpw -u https://tlscaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp
2022/03/08 22:44:34 [DEBUG] No Idemix credential found at /usr/project/fabric-ca/org1-ca/tls-ca/tlsadmin/msp/user/SignerConfig
2022/03/08 22:44:34 [DEBUG] Register { Name:org1rootcaadmin Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[] CAName: }
2022/03/08 22:44:34 [DEBUG] Adding token-based authorization header
2022/03/08 22:44:34 [DEBUG] Sending request
POST https://root:[email protected]:7054/register
2022/03/08 22:44:34 [DEBUG] Received response
statusCode=201 (201 Created)
2022/03/08 22:44:34 [DEBUG] Response body result: map[secret:org1rootcaadminpw]
2022/03/08 22:44:34 [DEBUG] The register request completed successfully
Password: org1rootcaadminpw
为 org1rootcaadmin 用户生成 TLS 证书:
./fabric-ca-client enroll -d -u https://rootcaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts ',*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp
2022/03/08 22:45:23 [DEBUG] newEnrollmentResponse rootcaadmin
2022/03/08 22:45:23 [INFO] Stored client certificate at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/signcerts/cert.pem
2022/03/08 22:45:23 [INFO] Stored TLS root CA certificate at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:45:23 [INFO] Stored Issuer public key at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/IssuerPublicKey
2022/03/08 22:45:23 [INFO] Stored Issuer revocation public key at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/IssuerRevocationPublicKey
生成 MSP 结构如下:
└── msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 386443da0808d7bd90c1b88f103a676b9e3a383ee9322fd65913dcc53f72488f_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-tlsca-org1-example-com-7054.pem
└── user
(可选) 向 TLS CA 注册和登记组织中间 CA 引导标识
./fabric-ca-client register -d --id.name intcaadmin --id.secret intcaadminpw -u https://tlscaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp
2022/03/08 22:51:12 [DEBUG] Register { Name:org1intermediatecaadmin Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[] CAName: }
2022/03/08 22:51:12 [DEBUG] Adding token-based authorization header
2022/03/08 22:51:12 [DEBUG] Sending request
POST https://tlscaadmin:[email protected]:7054/register
2022/03/08 22:51:12 [DEBUG] Received response
statusCode=201 (201 Created)
2022/03/08 22:51:12 [DEBUG] Response body result: map[secret:intcaadminpw]
2022/03/08 22:51:12 [DEBUG] The register request completed successfully
Password: intcaadminpw
为 org1intermediatecaadmin 用户生成 TLS 证书:
./fabric-ca-client enroll -d -u https://intcaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts ',*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp
2022/03/08 22:54:11 [DEBUG] newEnrollmentResponse intcaadmin
2022/03/08 22:54:11 [INFO] Stored client certificate at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/signcerts/cert.pem
2022/03/08 22:54:11 [INFO] Stored TLS root CA certificate at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:54:11 [INFO] Stored Issuer public key at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/IssuerPublicKey
2022/03/08 22:54:11 [INFO] Stored Issuer revocation public key at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/IssuerRevocationPublicKey
生成 MSP 结构如下:
└── msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 2f9e6c388f7095186fa02da0d49d56e60af93bd8a5938a95e9362d97a94305b2_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-tlsca-org1-example-com-7054.pem
└── user
部署 Org1 Root CA
./fabric-ca-server init -b rootcaadmin:rootcaadminpw
2022/03/09 00:44:20 [INFO] Created default configuration file at /usr/project/fabric-ca/org1-ca/org1-root-ca/fabric-ca-server-config.yaml
2022/03/09 00:44:20 [INFO] Server Version: 1.5.2
2022/03/09 00:44:20 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2022/03/09 00:44:20 [WARNING] &{69 The specified CA certificate file /usr/project/fabric-ca/org1-ca/org1-root-ca/ca-cert.pem does not exist}
2022/03/09 00:44:20 [INFO] generating key: &{A:ecdsa S:256}
2022/03/09 00:44:20 [INFO] encoded CSR
2022/03/09 00:44:20 [INFO] signed certificate with serial number 546254827741696287188172041494887425008823408464
2022/03/09 00:44:20 [INFO] The CA key and certificate were generated for CA
2022/03/09 00:44:20 [INFO] The key was stored by BCCSP provider 'SW'
2022/03/09 00:44:20 [INFO] The certificate is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/ca-cert.pem
2022/03/09 00:44:21 [INFO] Initialized sqlite3 database at /usr/project/fabric-ca/org1-ca/org1-root-ca/fabric-ca-server.db
2022/03/09 00:44:21 [INFO] The issuer key was successfully stored. The public key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/IssuerPublicKey, secret key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore/IssuerSecretKey
2022/03/09 00:44:21 [INFO] Idemix issuer revocation public and secret keys were generated for CA ''
2022/03/09 00:44:21 [INFO] The revocation key was successfully stored. The public key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/IssuerRevocationPublicKey, private key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore/IssuerRevocationPrivateKey
2022/03/09 00:44:21 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/org1-root-ca
2022/03/09 00:44:21 [INFO] Initialization was successful
编辑 fabric-ca-server-config.yaml 文件:
在启动服务器之前,如果您修改csr了配置 .yaml 文件块中的任何值,则需要删除该
文件夹。当您在下一步启动 CA 服务器时,这些证书将根据配置 .yaml 文件中的新设置重新生成。
启动 ca 服务:
nohup ./fabric-ca-server start > org1-root-ca.log 2>&1 &
2022/03/09 00:57:43 [DEBUG] Intializing nonce manager for issuer 'org1-root-ca'
2022/03/09 00:57:43 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/org1-root-ca
2022/03/09 00:57:43 [DEBUG] 1 CA instance(s) running on server
2022/03/09 00:57:43 [INFO] Operation Server Listening on
2022/03/09 00:57:43 [DEBUG] TLS is enabled
2022/03/09 00:57:43 [DEBUG] TLS Certificate: /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/signcerts/cert.pem, TLS Key: /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/keystore/key.pem
2022/03/09 00:57:43 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[52 160 11 191 139 56 223 161 107 227 29 92 106 178 120 63 173 151 219 229 198 133 127 139 212 184 117 189 136 56 132 95]]: Key with SKI 34a00bbf8b38dfa16be31d5c6ab2783fad97dbe5c6857f8bd4b875bd8838845f not found in /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore
2022/03/09 00:57:43 [DEBUG] Attempting fallback with certfile /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/signcerts/cert.pem and keyfile /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/keystore/key.pem
2022/03/09 00:57:43 [DEBUG] Client authentication type requested: noclientcert
2022/03/09 00:57:43 [INFO] Listening on
登记组织根 CA 管理员:
./fabric-ca-client enroll -d -u https://rootcaadmin:[email protected]:7055 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --csr.hosts ',*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/org1-root-ca/rootcaadmin/msp
(可选)向组织(根)CA 注册中间 CA 引导标识。
./fabric-ca-client register -d -u https://rootca.org1.example.com:7055 --id.name intcaadmin --id.secret intcaadmin --id.attrs '"hf.Registrar.Roles=user,admin","hf.Revoker=true","hf.IntermediateCA=true"' --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/org1-root-ca/rootcaadmin/msp
部署 Org1 Intermediate CA
./fabric-ca-server init -b intcaadmin:intcaadminpw
编辑 fabric-ca-server-config.yaml:
启动 ca 服务:
nohup ./fabric-ca-server start > org1-int-ca.log 2>&1 &