Fabric学习笔记(四) - Fabric CA的简单实用

最新推荐文章于 2023-08-09 08:29:35 发布

weixin_34355559

最新推荐文章于 2023-08-09 08:29:35 发布

阅读量177

点赞数

CC 4.0 BY-SA版权

文章标签：运维开发工具

原文链接：https://segmentfault.com/a/1190000013033479

本文介绍如何使用Hyperledger Fabric CA进行实体注册、证书颁发及管理等操作。包括下载和启动Fabric CA服务、注册不同类型的实体（如admin、user、peer及orderer）、证书的重新颁发与撤销等关键步骤。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

前言

本文严重参考官方文档,并去除复杂部分和相应解释,基本只覆盖操作流程

下载fabric-ca

go get -u github.com/hyperledger/fabric-ca/cmd/...

下载fabric-ca镜像

docker pull hyperledger/fabric-ca:x86_64-1.0.5
docker tag  hyperledger/fabric-ca:x86_64-1.0.5        hyperledger/fabric-ca

启动fabric-ca-server

cd /opt/gopath/src/github.com/hyperledger/fabric-ca/docker/server/
docker-compose up -d

进入镜像查询,并启动fabric-ca-server

docker exec -it fabric-ca-server bash
ps -ef

fabric-ca-server 已启动

root@7747fe9b6261:/# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 03:10 ?        00:00:00 sh -c fabric-ca-server start -b admin:adminpw
root         7     1  4 03:10 ?        00:00:00 fabric-ca-server start -b admin:adminpw
root        12     0  2 03:10 ?        00:00:00 bash
root        22    12  0 03:10 ?        00:00:00 ps -ef

注册admin实体

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

注册user

修改下client的配置文件

vim /root/fabric-ca/clients/admin/fabric-ca-client-config.yaml

id:
  name:
  type: user
  affiliation: org1.department1
  maxenrollments: -1
  attributes:
    - name: hf.Revoker
      value: true
    - name: anotherAttrName
      value: anotherAttrValue

注册新成员admin2

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client register --id.name admin2 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert'

2018/01/29 05:49:36 [INFO] User provided config file: /root/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2018/01/29 05:49:36 [INFO] Configuration file location: /root/fabric-ca/clients/admin/fabric-ca-client-config.yaml
Password: crdNMkqanPyd

peer实体

注册一个peer实体

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw

录取(enroll)peer实体

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp

orderer实体

orderer实体通peer实体一样,除了MSP的目录变为orderer.yaml里的LocalMSPDir.

所由fabric-ca-server颁发的录入证书都有组织单元(OUs),OUs的根是其类型type,其它部分由其affiliation指定.

如一个实体的peer,它的affiliation为department1.team1.那么其从叶子节点到根节点的OU关系为team1->department1->peer

从其它Fabric-CA-Server实体获取CA证书链

另启动一个Fabric-CA-Server CA2

export FABRIC_CA_SERVER_HOME=$HOME/ca2
fabric-ca-server start -b admin:ca2pw -p 7055 -n CA2

在peer1的MSP目录安装CA2的证书链

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client getcacert -u http://localhost:7055 -M $FABRIC_CA_CLIENT_HOME/msp

重新录取实体

如果证书失效了,需要重新enroll

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client reenroll

注销(revoke)实体

fabric-ca-client revoke -e <enrollment_id> -r <reason>

reason列表

unspecified
keycompromise
cacompromise
affiliationchange
superseded
cessationofoperation
certificatehold
removefromcrl
privilegewithdrawn

admin实体可注销其叶子节点的peer

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client revoke -e peer1