Hyperledger Fabric CA 操作实录

作者: Eliza_0512 | 来源:发表于2019-07-17 16:06 被阅读0次

Hyperledger Fabric CA 操作实录
Hyperledger Fabric CA的命令行用法
FabricCA的基本概念与用法讲解
Fabric-CA Server服务端命令详解
Hyperledger Fabric-ca调试
fabric-ca介绍和安装
Fabric-CA 架构及安装
HyperLedger Fabric 1.4的SDK侧交易签名源
Hyperledger Fabric(集成Fabric-ca)
8. Hyperledger Fabric 专题 - Hyper

源码编译
参考1：https://www.jianshu.com/p/de04cbc4d3dc
参考2：https://www.jianshu.com/p/2ab1ba296339
参考3：使用fabric-ca创建节点证书

1 Fabric Server操作

1.1 初始化Server

生成配置文件和证书文件

eliza@eliza-Macmini:~$ fabric-ca-server init -b admin:adminpw --home ca-home/root
2019/07/16 16:12:06 [INFO] Created default configuration file at /home/eliza/ca-home/root/fabric-ca-server-config.yaml
2019/07/16 16:12:06 [INFO] Server Version: 1.4.2-snapshot-d3e9c35
2019/07/16 16:12:06 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/07/16 16:12:06 [WARNING] &{69 The specified CA certificate file /home/eliza/ca-home/root/ca-cert.pem does not exist}
2019/07/16 16:12:06 [INFO] generating key: &{A:ecdsa S:256}
2019/07/16 16:12:06 [INFO] encoded CSR
2019/07/16 16:12:06 [INFO] signed certificate with serial number 143384722862879930990370662709102875271142366602
2019/07/16 16:12:06 [INFO] The CA key and certificate were generated for CA 
2019/07/16 16:12:06 [INFO] The key was stored by BCCSP provider 'SW'
2019/07/16 16:12:06 [INFO] The certificate is at: /home/eliza/ca-home/root/ca-cert.pem
2019/07/16 16:12:07 [INFO] Initialized sqlite3 database at /home/eliza/ca-home/root/fabric-ca-server.db
2019/07/16 16:12:07 [INFO] The issuer key was successfully stored. The public key is at: /home/eliza/ca-home/root/IssuerPublicKey, secret key is at: /home/eliza/ca-home/root/msp/keystore/IssuerSecretKey
2019/07/16 16:12:07 [INFO] Idemix issuer revocation public and secret keys were generated for CA ''
2019/07/16 16:12:07 [INFO] The revocation key was successfully stored. The public key is at: /home/eliza/ca-home/root/IssuerRevocationPublicKey, private key is at: /home/eliza/ca-home/root/msp/keystore/IssuerRevocationPrivateKey
2019/07/16 16:12:07 [INFO] Home directory for default CA: /home/eliza/ca-home/root
2019/07/16 16:12:07 [INFO] Initialization was successful

eliza@eliza-Macmini:~/ca-home$ cd ca-home
eliza@eliza-Macmini:~/ca-home$ tree
.
└── root
    ├── ca-cert.pem
    ├── fabric-ca-server-config.yaml
    ├── fabric-ca-server.db
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    └── msp
        └── keystore
            ├── 113a600ca0c685f529b05194c7ae852ed3f506a5b487706bccbbeeb1259ca66d_sk
            ├── IssuerRevocationPrivateKey
            └── IssuerSecretKey

3 directories, 8 files

根据指定的-b 参数在fabric-ca-server.db数据库的user表中有一条相应的admin记录

1.2 启动server

在启动之前修改配置文件fabric-ca-server-config.yaml
例如将监听端口改为7064

eliza@eliza-Macmini:~$ cd ca-home/root
eliza@eliza-Macmini:~/ca-home/root$ fabric-ca-server start -b admin:adminpw
2019/07/16 16:27:07 [INFO] Configuration file location: /home/eliza/ca-home/root/fabric-ca-server-config.yaml
2019/07/16 16:27:07 [INFO] Starting server in home directory: /home/eliza/ca-home/root
2019/07/16 16:27:07 [INFO] Server Version: 1.4.2-snapshot-d3e9c35
2019/07/16 16:27:07 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/07/16 16:27:07 [INFO] The CA key and certificate already exist
2019/07/16 16:27:07 [INFO] The key is stored by BCCSP provider 'SW'
2019/07/16 16:27:07 [INFO] The certificate is at: /home/eliza/ca-home/root/ca-cert.pem
2019/07/16 16:27:07 [INFO] Initialized sqlite3 database at /home/eliza/ca-home/root/fabric-ca-server.db
2019/07/16 16:27:07 [INFO] The Idemix issuer public and secret key files already exist
2019/07/16 16:27:07 [INFO]    secret key file location: /home/eliza/ca-home/root/msp/keystore/IssuerSecretKey
2019/07/16 16:27:07 [INFO]    public key file location: /home/eliza/ca-home/root/IssuerPublicKey
2019/07/16 16:27:07 [INFO] The Idemix issuer revocation public and secret key files already exist
2019/07/16 16:27:07 [INFO]    private key file location: /home/eliza/ca-home/root/msp/keystore/IssuerRevocationPrivateKey
2019/07/16 16:27:07 [INFO]    public key file location: /home/eliza/ca-home/root/IssuerRevocationPublicKey
2019/07/16 16:27:07 [INFO] Home directory for default CA: /home/eliza/ca-home/root
2019/07/16 16:27:07 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/07/16 16:27:07 [INFO] Listening on http://0.0.0.0:7064

1.3 创建intermedia server

方法一：命令行直接创建

fabric-ca-server start -b ca1:123456 -p 7064 -u http://wyj:123456@localhost:7054

方法二：配置文件创建

fabric-server-config.yaml

intermediate:
  parentserver:
    url: http://wyj:123456@localhost:7054
    caname: root   ## root ca的配置文件中ca name必须和这个一样

  enrollment:
    hosts:
    profile:
    label:

  tls:
    certfiles:
    client:
      certfile:
      keyfile:

在配置文件所在文件夹运行脚本

ElizadeMacBook-Air:ca2 eliza$ fabric-ca-server init -c fabric-ca-server-config.yaml
2019/07/16 19:12:36 [INFO] Configuration file location: /Users/eliza/documents/ca-home/intermedia/ca2/fabric-ca-server-config.yaml
2019/07/16 19:12:36 [INFO] Server Version: 1.4.2-snapshot-d3e9c35
2019/07/16 19:12:36 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/07/16 19:12:36 [WARNING] &{69 The specified CA certificate file /Users/eliza/documents/ca-home/intermedia/ca2/ca-cert.pem does not exist}
2019/07/16 19:12:36 [INFO] generating key: &{A:ecdsa S:256}
2019/07/16 19:12:37 [INFO] encoded CSR
2019/07/16 19:12:37 [INFO] The CA key and certificate were generated for CA ca2
2019/07/16 19:12:37 [INFO] The key was stored by BCCSP provider 'SW'
2019/07/16 19:12:37 [INFO] The certificate is at: /Users/eliza/documents/ca-home/intermedia/ca2/ca-cert.pem
2019/07/16 19:12:37 [INFO] Initialized sqlite3 database at /Users/eliza/documents/ca-home/intermedia/ca2/fabric-ca-server.db
2019/07/16 19:12:37 [INFO] The issuer key was successfully stored. The public key is at: /Users/eliza/documents/ca-home/intermedia/ca2/IssuerPublicKey, secret key is at: /Users/eliza/documents/ca-home/intermedia/ca2/msp/keystore/IssuerSecretKey
2019/07/16 19:12:37 [INFO] Idemix issuer revocation public and secret keys were generated for CA 'ca2'
2019/07/16 19:12:37 [INFO] The revocation key was successfully stored. The public key is at: /Users/eliza/documents/ca-home/intermedia/ca2/IssuerRevocationPublicKey, private key is at: /Users/eliza/documents/ca-home/intermedia/ca2/msp/keystore/IssuerRevocationPrivateKey
2019/07/16 19:12:37 [INFO] Home directory for default CA: /Users/eliza/documents/ca-home/intermedia/ca2
2019/07/16 19:12:37 [INFO] Initialization was successful

ElizadeMacBook-Air:ca2 eliza$ fabric-ca-server start -b ca2:123456
2019/07/16 19:14:01 [INFO] Configuration file location: /Users/eliza/documents/ca-home/intermedia/ca2/fabric-ca-server-config.yaml
2019/07/16 19:14:01 [INFO] Starting server in home directory: /Users/eliza/documents/ca-home/intermedia/ca2
2019/07/16 19:14:01 [INFO] Server Version: 1.4.2-snapshot-d3e9c35
2019/07/16 19:14:01 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/07/16 19:14:01 [INFO] The CA key and certificate already exist
2019/07/16 19:14:01 [INFO] The key is stored by BCCSP provider 'SW'
2019/07/16 19:14:01 [INFO] The certificate is at: /Users/eliza/documents/ca-home/intermedia/ca2/ca-cert.pem
2019/07/16 19:14:01 [INFO] Initialized sqlite3 database at /Users/eliza/documents/ca-home/intermedia/ca2/fabric-ca-server.db
2019/07/16 19:14:01 [INFO] The Idemix issuer public and secret key files already exist
2019/07/16 19:14:01 [INFO]    secret key file location: /Users/eliza/documents/ca-home/intermedia/ca2/msp/keystore/IssuerSecretKey
2019/07/16 19:14:01 [INFO]    public key file location: /Users/eliza/documents/ca-home/intermedia/ca2/IssuerPublicKey
2019/07/16 19:14:01 [INFO] The Idemix issuer revocation public and secret key files already exist
2019/07/16 19:14:01 [INFO]    private key file location: /Users/eliza/documents/ca-home/intermedia/ca2/msp/keystore/IssuerRevocationPrivateKey
2019/07/16 19:14:01 [INFO]    public key file location: /Users/eliza/documents/ca-home/intermedia/ca2/IssuerRevocationPublicKey
2019/07/16 19:14:01 [INFO] Home directory for default CA: /Users/eliza/documents/ca-home/intermedia/ca2
2019/07/16 19:14:01 [INFO] Operation Server Listening on 127.0.0.1:9463
2019/07/16 19:14:01 [INFO] Listening on http://0.0.0.0:7074

1.4 验证intermediate CA和root CA的关系

查看文件目录

.
├── client-home
├── intermedia
│   ├── ca1
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── ca-cert.pem
│   │   ├── ca-chain.pem
│   │   ├── fabric-ca-server-config.yaml
│   │   ├── fabric-ca-server.db
│   │   └── msp
│   │       ├── cacerts
│   │       ├── keystore
│   │       │   ├── IssuerRevocationPrivateKey
│   │       │   ├── IssuerSecretKey
│   │       │   └── f1a8ed738252f252be5b1010d38b851101a4bf47aea3012a3bec1ce134e4f62f_sk
│   │       ├── signcerts
│   │       └── user
│   └── ca2
│       ├── IssuerPublicKey
│       ├── IssuerRevocationPublicKey
│       ├── ca-cert.pem
│       ├── ca-chain.pem
│       ├── fabric-ca-server-config.yaml
│       ├── fabric-ca-server.db
│       └── msp
│           ├── cacerts
│           ├── keystore
│           │   ├── 12744eb79fd2f067add1619e7186bb9dec14da39214b605111e7b9d03412141e_sk
│           │   ├── 8edc78a0385603fed1abb76716caf9b2fd2eeb3232402e9edcdb28ffd80e2c9f_sk
│           │   ├── IssuerRevocationPrivateKey
│           │   └── IssuerSecretKey
│           ├── signcerts
│           └── user
└── root
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── ca-cert.pem
    ├── fabric-ca-server-config.yaml
    ├── fabric-ca-server.db
    └── msp
        └── keystore
            ├── 50664a3a04c5a7f354e88bbfdbda52051dc948f49ea5ffa79cf58423efedc52c_sk
            ├── IssuerRevocationPrivateKey
            └── IssuerSecretKey

17 directories, 27 files

中间CA比根CA多了一个ca-chain.pem证书文件。我们打开文件intermediateca/ca-chain.pem看一下，其内容恰好包含两个证书(root CA和intermediate CA)内容，也就是证书链

<content of intermediateca/ca-cert.pem>
<content of rootca/ca-cert.pem>

再看一下他们的验证关系

ElizadeMacBook-Air:ca-home eliza$ openssl verify -verbose -CAfile root/ca-cert.pem intermedia/ca2/ca-cert.pem
intermedia/ca2/ca-cert.pem: OK
ElizadeMacBook-Air:ca-home eliza$ openssl verify -verbose -CAfile root/ca-cert.pem intermedia/ca2/ca-chain.pem
intermedia/ca2/ca-chain.pem: OK
ElizadeMacBook-Air:ca-home eliza$ openssl verify -verbose -CAfile intermedia/ca2/ca-cert.pem intermedia/ca2/ca-chain.pem
intermedia/ca2/ca-chain.pem: C = US, ST = North Carolina, O = Hyperledger, OU = client, CN = wyj
error 20 at 0 depth lookup:unable to get local issuer certificate
ElizadeMacBook-Air:ca-home eliza$ openssl verify -verbose -CAfile intermedia/ca2/ca-chain.pem intermedia/ca2/ca-cert.pem
intermedia/ca2/ca-cert.pem: OK

我们可以看到root节点的根证书，可以验证intermediate节点的根证书；也就说验证了intermediate节点的根证书是由root节点签发的，他们形成证书链关系。

2 Fabric Client 操作

2.1 向intermediate CA注册(register)和登记(enroll)用户

以CA2为例

enroll admin

一个用户必须先register到CA数据库后才能enroll（生成证书）
因为我们在初始化CA2时已经通过 -b 注册了管理员ca2，所以我们可以直接enroll ca2

ElizadeMacBook-Air:ca2 eliza$ fabric-ca-client enroll  --url http://ca2:123456@localhost:7074 --home msp/user/admin
2019/07/16 19:29:29 [INFO] generating key: &{A:ecdsa S:256}
2019/07/16 19:29:29 [INFO] encoded CSR
2019/07/16 19:29:29 [INFO] Stored client certificate at /Users/eliza/.fabric-ca-client/msp/signcerts/cert.pem
2019/07/16 19:29:29 [INFO] Stored root CA certificate at /Users/eliza/.fabric-ca-client/msp/cacerts/localhost-7074.pem
2019/07/16 19:29:29 [INFO] Stored intermediate CA certificates at /Users/eliza/.fabric-ca-client/msp/intermediatecerts/localhost-7074.pem
2019/07/16 19:29:29 [INFO] Stored Issuer public key at /Users/eliza/.fabric-ca-client/msp/IssuerPublicKey
2019/07/16 19:29:29 [INFO] Stored Issuer revocation public key at /Users/eliza/.fabric-ca-client/msp/IssuerRevocationPublicKey

此时CA2的数据库中会certificate表会多一条记录

Screen Shot 2019-07-16 at 19.34.40.png

同时会生成一份fabric client配置文件和一整套证书

ElizadeMacBook-Air:ca2 eliza$ tree
.
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── ca-cert.pem
├── ca-chain.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
└── msp
    ├── cacerts
    ├── keystore
    │   ├── 12744eb79fd2f067add1619e7186bb9dec14da39214b605111e7b9d03412141e_sk
    │   ├── 8edc78a0385603fed1abb76716caf9b2fd2eeb3232402e9edcdb28ffd80e2c9f_sk
    │   ├── IssuerRevocationPrivateKey
    │   └── IssuerSecretKey
    ├── signcerts
    └── user
        └── admin
            ├── fabric-ca-client-config.yaml
            └── msp
                ├── IssuerPublicKey
                ├── IssuerRevocationPublicKey
                ├── cacerts
                │   └── localhost-7074.pem
                ├── intermediatecerts
                │   └── localhost-7074.pem
                ├── keystore
                │   └── 479a58b794006ac89fa3239989035d44536f02a9fb84c412e899af0bfce3c345_sk
                ├── signcerts
                │   └── cert.pem   // 保存在数据库certificate中，字段pem
                └── user

register & enroll new user

ElizadeMacBook-Air:ca2 eliza$ fabric-ca-client register --home msp/user/admin --id.name tester2 --id.secret testpasswd --id.type user
ElizadeMacBook-Air:ca2 eliza$ fabric-ca-client enroll --home msp/user/tester2 --url http://tester2:testpasswd@localhost:7074

其中home必须是admin的根目录地址

3 TLS

3.1 server

修改server配置文件，tls部分设置为true。

#############################################################################
#  TLS section for the server's listening port
#
#  The following types are supported for client authentication: NoClientCert,
#  RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
#  and RequireAndVerifyClientCert.
#
#  Certfiles is a list of root certificate authorities that the server uses
#  when verifying client certificates.
#############################################################################
tls:
  # Enable TLS (default: false)
  enabled: true
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

执行

fabric-ca-server start -c fabric-ca-server-config.yaml -b wyj:123456

会看到系统中多出一份tls证书，且数据库certificate表多了一条当前机器的证书记录

多了TLS的证书结构

certificate表

但是笔者开启TLS模式以后使用client端enroll用户总是会报错，暂时没有找到错误原因

常见的Fabric网络证书生成都是tls一个fabric-ca-server，ECert采用另一个server

3.2 client

fabric-ca-client enroll --home msp/user/admin --url http://wyj:123456@localhost:8054
fabric-ca-client register --home msp/user/admin --id.name user1 --id.secret 123456 --id.type user
fabric-ca-client enroll --home msp/user/user1 --url http://user1:123456@localhost:8054

Hyperledger Fabric CA 操作实录
源码编译参考1：https://www.jianshu.com/p/de04cbc4d3dc参考2：https:/...
Hyperledger Fabric CA的命令行用法
介绍Hyperledger Fabric CA的命令行方式简单用法 Hyperledger Fabric CA由s...
FabricCA的基本概念与用法讲解
说明 Hyperledger Fabric CA是Hyperledger Fabric的证书授权中心，支持：概览...
Fabric-CA Server服务端命令详解
Hyperledger Fabric 证书颁发服务端的命令使用说明用法: ` fabric-ca-server...
Hyperledger Fabric-ca调试
本文主要记录自己对Hyperledger fabric-ca的操作及认识，为原创内容，如有文中有书写或其他问题，请...
fabric-ca介绍和安装
一、介绍有两种与Hyperledger Fabric CA服务器交互的方式：通过Hyperledger Fabr...
Fabric-CA 架构及安装
一、Fabric-CA架构官方手册给的图示根据自己理解整理的图示总结： Hyperledger Fabric...
HyperLedger Fabric 1.4的SDK侧交易签名源
hyperledger fabric 1.4中所涉及到的实体包括如下： fabric-ca：主要负责对网络中实体的...
Hyperledger Fabric(集成Fabric-ca)
安装Fabirc-CA-Client 获取fabric-ca源码切换到v1.4.0分支编译安装client 注...
8. Hyperledger Fabric 专题 - Hyper
Hyperledger Fabric 专题 - Hyperledger Fabric Model 本专题文档概述了...