Hyperledger Fabric CA 部署示例

原创
03/12 11:09
阅读数 1.6K

Hyperledger Fabric 二进制文件启动 Org1 组织 CA

部署 Org1 TLS CA

初始化

./fabric-ca-server init -b tlscaadmin:tlscaadminpw

修改 fabric-ca-server-config.yaml 配置文件

#############################################################################
#   This is a configuration file for the fabric-ca-server command.
#
#   COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
#   ------------------------------------------------
#   Each configuration element can be overridden via command line
#   arguments or environment variables.  The precedence for determining
#   the value of each element is as follows:
#   1) command line argument
#      Examples:
#      a) --port 443
#         To set the listening port
#      b) --ca.keyfile ../mykey.pem
#         To set the "keyfile" element in the "ca" section below;
#         note the '.' separator character.
#   2) environment variable
#      Examples:
#      a) FABRIC_CA_SERVER_PORT=443
#         To set the listening port
#      b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
#         To set the "keyfile" element in the "ca" section below;
#         note the '_' separator character.
#   3) configuration file
#   4) default value (if there is one)
#      All default values are shown beside each element below.
#
#   FILE NAME ELEMENTS
#   ------------------
#   The value of all fields whose name ends with "file" or "files" are
#   name or names of other files.
#   For example, see "tls.certfile" and "tls.clientauth.certfiles".
#   The value of each of these fields can be a simple filename, a
#   relative path, or an absolute path.  If the value is not an
#   absolute path, it is interpreted as being relative to the location
#   of this configuration file.
#
#############################################################################

# Version of config file
version: 1.5.2

# Server's listening port (default: 7054)
port: 7054

# Cross-Origin Resource Sharing (CORS)
cors:
    enabled: false
    origins:
      - "*"

# Enables debug logging (default: false)
debug: true

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000

#############################################################################
#  TLS section for the server's listening port
#
#  The following types are supported for client authentication: NoClientCert,
#  RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
#  and RequireAndVerifyClientCert.
#
#  Certfiles is a list of root certificate authorities that the server uses
#  when verifying client certificates.
#############################################################################
tls:
  # Enable TLS (default: false)
  enabled: true
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

#############################################################################
#  The CA section contains information related to the Certificate Authority
#  including the name of the CA, which should be unique for all members
#  of a blockchain network.  It also includes the key and certificate files
#  used when issuing enrollment certificates (ECerts).
#  The chainfile (if it exists) contains the certificate chain which
#  should be trusted for this CA, where the 1st in the chain is always the
#  root CA certificate.
#############################################################################
ca:
  # Name of this CA
  name: org1-tls-ca
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:
  # Ignore Certificate Expiration in the case of re-enroll
  reenrollIgnoreCertExpiry: false

#############################################################################
#  The gencrl REST endpoint is used to generate a CRL that contains revoked
#  certificates. This section contains configuration options that are used
#  during gencrl request processing.
#############################################################################
crl:
  # Specifies expiration for the generated CRL. The number of hours
  # specified by this property is added to the UTC time, the resulting time
  # is used to set the 'Next Update' date of the CRL.
  expiry: 24h

#############################################################################
#  The registry section controls how the fabric-ca-server does two things:
#  1) authenticates enrollment requests which contain a username and password
#     (also known as an enrollment ID and secret).
#  2) once authenticated, retrieves the identity's attribute names and values.
#     These attributes are useful for making access control decisions in
#     chaincode.
#  There are two main configuration options:
#  1) The fabric-ca-server is the registry.
#     This is true if "ldap.enabled" in the ldap section below is false.
#  2) An LDAP server is the registry, in which case the fabric-ca-server
#     calls the LDAP server to perform these tasks.
#     This is true if "ldap.enabled" in the ldap section below is true,
#     which means this "registry" section is ignored.
#############################################################################
registry:
  # Maximum number of times a password/secret can be reused for enrollment
  # (default: -1, which means there is no limit)
  maxenrollments: -1

  # Contains identity information which is used when LDAP is disabled
  identities:
     - name: tlscaadmin
       pass: tlscaadminpw
       type: client
       affiliation: ""
       attrs:
          hf.Registrar.Roles: "*"
          hf.Registrar.DelegateRoles: "*"
          hf.Revoker: true
          hf.IntermediateCA: true
          hf.GenCRL: true
          hf.Registrar.Attributes: "*"
          hf.AffiliationMgr: true

#############################################################################
#  Database section
#  Supported types are: "sqlite3", "postgres", and "mysql".
#  The datasource value depends on the type.
#  If the type is "sqlite3", the datasource value is a file name to use
#  as the database store.  Since "sqlite3" is an embedded database, it
#  may not be used if you want to run the fabric-ca-server in a cluster.
#  To run the fabric-ca-server in a cluster, you must choose "postgres"
#  or "mysql".
#############################################################################
db:
  type: mysql
  datasource: root:root@tcp(192.168.2.54:3306)/fabric_org1_tls_ca?parseTime=true
  tls:
      enabled: false
      certfiles:
      client:
        certfile:
        keyfile:

#############################################################################
#  LDAP section
#  If LDAP is enabled, the fabric-ca-server calls LDAP to:
#  1) authenticate enrollment ID and secret (i.e. username and password)
#     for enrollment requests;
#  2) To retrieve identity attributes
#############################################################################
ldap:
   # Enables or disables the LDAP client (default: false)
   # If this is set to true, the "registry" section is ignored.
   enabled: false
   # The URL of the LDAP server
   url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
   # TLS configuration for the client connection to the LDAP server
   tls:
      certfiles:
      client:
         certfile:
         keyfile:
   # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
   attribute:
      # 'names' is an array of strings containing the LDAP attribute names which are
      # requested from the LDAP server for an LDAP identity's entry
      names: ['uid','member']
      # The 'converters' section is used to convert an LDAP entry to the value of
      # a fabric CA attribute.
      # For example, the following converts an LDAP 'uid' attribute
      # whose value begins with 'revoker' to a fabric CA attribute
      # named "hf.Revoker" with a value of "true" (because the boolean expression
      # evaluates to true).
      #    converters:
      #       - name: hf.Revoker
      #         value: attr("uid") =~ "revoker*"
      converters:
         - name:
           value:
      # The 'maps' section contains named maps which may be referenced by the 'map'
      # function in the 'converters' section to map LDAP responses to arbitrary values.
      # For example, assume a user has an LDAP attribute named 'member' which has multiple
      # values which are each a distinguished name (i.e. a DN). For simplicity, assume the
      # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
      # Further assume the following configuration.
      #    converters:
      #       - name: hf.Registrar.Roles
      #         value: map(attr("member"),"groups")
      #    maps:
      #       groups:
      #          - name: dn1
      #            value: peer
      #          - name: dn2
      #            value: client
      # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
      # "peer,client,dn3".  This is because the value of 'attr("member")' is
      # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
      # "group" replaces "dn1" with "peer" and "dn2" with "client".
      maps:
         groups:
            - name:
              value:

#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
#   businessunit1:
#     department1:
#       - team1
#   businessunit2:
#     - department2
#     - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
   org1:
      - department1
      - department2
   org2:
      - department1

#############################################################################
#  Signing section
#
#  The "default" subsection is used to sign enrollment certificates;
#  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
#  The "ca" profile subsection is used to sign intermediate CA certificates;
#  the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
#  Note that "isca" is true, meaning that it issues a CA certificate.
#  A maxpathlen of 0 means that the intermediate CA cannot issue other
#  intermediate CA certificates, though it can still issue end entity certificates.
#  (See RFC 5280, section 4.2.1.9)
#
#  The "tls" profile subsection is used to sign TLS certificate requests;
#  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
    default:
      usage:
        - digital signature
      expiry: 8760h
    profiles:
      # 由于这是一个不会颁发 CA 证书的 TLS CA,因此ca可以删除配置文件部分。该signing.profiles块应仅包含tls配置文件。
      # ca:
      #    usage:
      #      - cert sign
      #      - crl sign
      #    expiry: 43800h
      #    caconstraint:
      #      isca: true
      #      maxpathlen: 0
      tls:
         usage:
            - signing
            - key encipherment
            - server auth
            - client auth
            - key agreement
         expiry: 8760h

###########################################################################
#  Certificate Signing Request (CSR) section.
#  This controls the creation of the root CA certificate.
#  The expiration for the root CA certificate is configured with the
#  "ca.expiry" field below, whose default value is "131400h" which is
#  15 years in hours.
#  The pathlength field is used to limit CA certificate hierarchy as described
#  in section 4.2.1.9 of RFC 5280.
#  Examples:
#  1) No pathlength value means no limit is requested.
#  2) pathlength == 1 means a limit of 1 is requested which is the default for
#     a root CA.  This means the root CA can issue intermediate CA certificates,
#     but these intermediate CAs may not in turn issue other CA certificates
#     though they can still issue end entity certificates.
#  3) pathlength == 0 means a limit of 0 is requested;
#     this is the default for an intermediate CA, which means it can not issue
#     CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
   cn: fabric-ca-server
   keyrequest:
     algo: ecdsa
     size: 256
   names:
      - C: US
        ST: "North Carolina"
        L:
        O: Hyperledger
        OU: Fabric
   hosts:
     - localhost.localdomain
     - localhost
     - tlsca.org1.example.com
     - 192.168.0.105
   ca:
      expiry: 131400h
      pathlength: 1

###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
  # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
  # Idemix credential. The issuer will create a pool revocation handles of this specified size. When
  # a credential is requested, issuer will get handle from the pool and assign it to the credential.
  # Issuer will repopulate the pool with new handles when the last handle in the pool is used.
  # A revocation handle and credential revocation information (CRI) are used to create non revocation proof
  # by the prover to prove to the verifier that her credential is not revoked.
  rhpoolsize: 1000

  # The Idemix credential issuance is a two step process. First step is to  get a nonce from the issuer
  # and second step is send credential request that is constructed using the nonce to the isuser to
  # request a credential. This configuration property specifies expiration for the nonces. By default is
  # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
  nonceexpiration: 15s

  # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
  #  The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
  noncesweepinterval: 15m

#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
    default: SW
    sw:
        hash: SHA2
        security: 256
        filekeystore:
            # The directory used for the software file-based keystore
            keystore: msp/keystore

#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default.  This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs.  The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA.  Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################

cacount:

cafiles:

#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
#   1) A single server process may contain or function as one or more CAs.
#      This is configured by the "Multi CA section" above.
#   2) Each CA is either a root CA or an intermediate CA.
#   3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
#    url - The URL of the parent server
#    caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
#    profile - Name of the signing profile to use in issuing the certificate
#    label - Label to use in HSM operations
#
# tls section for secure socket connection
#   certfiles - PEM-encoded list of trusted root certificate files
#   client:
#     certfile - PEM-encoded certificate file for when client authentication
#     is enabled on server
#     keyfile - PEM-encoded key file for when client authentication
#     is enabled on server
#############################################################################
intermediate:
  parentserver:
    url:
    caname:

  enrollment:
    hosts:
    profile:
    label:

  tls:
    certfiles:
    client:
      certfile:
      keyfile:

#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
  identities:
    passwordattempts: 10

###############################################################################
#
#    Operations section
#
###############################################################################
operations:
    # host and port for the operations server
    listenAddress: 127.0.0.1:9445

    # TLS configuration for the operations endpoint
    tls:
        # TLS enabled
        enabled: false

        # path to PEM encoded server certificate for the operations server
        cert:
            file:

        # path to PEM encoded server key for the operations server
        key:
            file:

        # require client certificate authentication to access all resources
        clientAuthRequired: false

        # paths to PEM encoded ca certificates to trust for client authentication
        clientRootCAs:
            files: []

###############################################################################
#
#    Metrics section
#
###############################################################################
metrics:
    # statsd, prometheus, or disabled
    provider: disabled

    # statsd configuration
    statsd:
        # network type: tcp or udp
        network: udp

        # statsd server address
        address: 127.0.0.1:8125

        # the interval at which locally cached counters and gauges are pushed
        # to statsd; timings are pushed immediately
        writeInterval: 10s

        # prefix is prepended to all emitted statsd metrics
        prefix: server

启动 Org1 TLS CA

nohup ./fabric-ca-server start > org1-tls-ca.log 2>&1 &

查看日志:

tail -f org1-tls-ca.log
2022/03/08 21:49:43 [INFO] The Idemix issuer revocation public and secret key files already exist
2022/03/08 21:49:43 [INFO]    private key file location: /usr/project/fabric-ca/org1-ca/tls-ca/msp/keystore/IssuerRevocationPrivateKey
2022/03/08 21:49:43 [INFO]    public key file location: /usr/project/fabric-ca/org1-ca/tls-ca/IssuerRevocationPublicKey
2022/03/08 21:49:43 [DEBUG] Intializing nonce manager for issuer 'org1-tls-ca'
2022/03/08 21:49:43 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/tls-ca
2022/03/08 21:49:43 [DEBUG] 1 CA instance(s) running on server
2022/03/08 21:49:43 [INFO] Operation Server Listening on 127.0.0.1:9445
2022/03/08 21:49:43 [DEBUG] TLS is enabled
2022/03/08 21:49:43 [DEBUG] Client authentication type requested: noclientcert
2022/03/08 21:49:43 [INFO] Listening on https://0.0.0.0:7054

使用 TLS CA 登记引导用户

./fabric-ca-client enroll -d -u https://tlscaadmin:tlscaadminpw@tlsca.org1.example.com:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts '192.168.0.105,*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp

输出如下:

2022/03/08 22:14:41 [DEBUG] newEnrollmentResponse root
2022/03/08 22:14:41 [INFO] Stored client certificate at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/signcerts/cert.pem
2022/03/08 22:14:41 [INFO] Stored TLS root CA certificate at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:14:41 [INFO] Stored Issuer public key at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/IssuerPublicKey
2022/03/08 22:14:41 [INFO] Stored Issuer revocation public key at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/IssuerRevocationPublicKey

生成 MSP 结构如下:

tls-ca/tlscaadmin/
└── msp
    ├── cacerts
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── keystore
    │   └── 1a3605866a5278e63c77a0f1025c86e4cace230cf22d3cc76558462c4b4aacc1_sk
    ├── signcerts
    │   └── cert.pem
    ├── tlscacerts
    │   └── tls-tlsca-org1-example-com-7054.pem
    └── user

向 TLS CA 注册和登记组织 CA 引导标识

TLS CA 服务器以具有服务器完全管理员权限的引导身份启动。管理员的一项关键能力是注册新身份的能力。组织中在网络上进行交易的每个节点都需要向 TLS CA 注册。因此,在我们设置组织 CA 之前,我们需要使用 TLS CA 来注册和注册组织 CA 引导身份,以获取其 TLS 证书和私钥。

./fabric-ca-client register -d --id.name rootcaadmin --id.secret rootcaadminpw -u https://tlscaadmin:tlscaadminpw@tlsca.org1.example.com:7054  --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp

输出如下:

2022/03/08 22:44:34 [DEBUG] No Idemix credential found at /usr/project/fabric-ca/org1-ca/tls-ca/tlsadmin/msp/user/SignerConfig
2022/03/08 22:44:34 [DEBUG] Register { Name:org1rootcaadmin Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[] CAName:  }
2022/03/08 22:44:34 [DEBUG] Adding token-based authorization header
2022/03/08 22:44:34 [DEBUG] Sending request
POST https://root:roothepeng@tlsca.org1.example.com:7054/register
{"id":"org1rootcaadmin","type":"client","secret":"org1rootcaadminpw","affiliation":""}
2022/03/08 22:44:34 [DEBUG] Received response
statusCode=201 (201 Created)
2022/03/08 22:44:34 [DEBUG] Response body result: map[secret:org1rootcaadminpw]
2022/03/08 22:44:34 [DEBUG] The register request completed successfully
Password: org1rootcaadminpw

为 org1rootcaadmin 用户生成 TLS 证书:

./fabric-ca-client enroll -d -u https://rootcaadmin:rootcaadminpw@tlsca.org1.example.com:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts '192.168.0.105,*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp

输出如下:

2022/03/08 22:45:23 [DEBUG] newEnrollmentResponse rootcaadmin
2022/03/08 22:45:23 [INFO] Stored client certificate at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/signcerts/cert.pem
2022/03/08 22:45:23 [INFO] Stored TLS root CA certificate at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:45:23 [INFO] Stored Issuer public key at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/IssuerPublicKey
2022/03/08 22:45:23 [INFO] Stored Issuer revocation public key at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/IssuerRevocationPublicKey

生成 MSP 结构如下:

tls-ca/rootcaadmin/
└── msp
    ├── cacerts
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── keystore
    │   └── 386443da0808d7bd90c1b88f103a676b9e3a383ee9322fd65913dcc53f72488f_sk
    ├── signcerts
    │   └── cert.pem
    ├── tlscacerts
    │   └── tls-tlsca-org1-example-com-7054.pem
    └── user

(可选) 向 TLS CA 注册和登记组织中间 CA 引导标识

./fabric-ca-client register -d --id.name intcaadmin --id.secret intcaadminpw -u https://tlscaadmin:tlscaadminpw@tlsca.org1.example.com:7054  --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp

输出如下:

2022/03/08 22:51:12 [DEBUG] Register { Name:org1intermediatecaadmin Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[] CAName:  }
2022/03/08 22:51:12 [DEBUG] Adding token-based authorization header
2022/03/08 22:51:12 [DEBUG] Sending request
POST https://tlscaadmin:tlscaadminpw@tlsca.org1.example.com:7054/register
{"id":"intcaadmin","type":"client","secret":"intcaadminpw","affiliation":""}
2022/03/08 22:51:12 [DEBUG] Received response
statusCode=201 (201 Created)
2022/03/08 22:51:12 [DEBUG] Response body result: map[secret:intcaadminpw]
2022/03/08 22:51:12 [DEBUG] The register request completed successfully
Password: intcaadminpw

为 org1intermediatecaadmin 用户生成 TLS 证书:

./fabric-ca-client enroll -d -u https://intcaadmin:intcaadminpw@tlsca.org1.example.com:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts '192.168.0.105,*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp

输出如下:

2022/03/08 22:54:11 [DEBUG] newEnrollmentResponse intcaadmin
2022/03/08 22:54:11 [INFO] Stored client certificate at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/signcerts/cert.pem
2022/03/08 22:54:11 [INFO] Stored TLS root CA certificate at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:54:11 [INFO] Stored Issuer public key at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/IssuerPublicKey
2022/03/08 22:54:11 [INFO] Stored Issuer revocation public key at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/IssuerRevocationPublicKey

生成 MSP 结构如下:

tls-ca/intcaadmin/
└── msp
    ├── cacerts
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── keystore
    │   └── 2f9e6c388f7095186fa02da0d49d56e60af93bd8a5938a95e9362d97a94305b2_sk
    ├── signcerts
    │   └── cert.pem
    ├── tlscacerts
    │   └── tls-tlsca-org1-example-com-7054.pem
    └── user


部署 Org1 Root CA

初始化组织根CA

./fabric-ca-server init -b rootcaadmin:rootcaadminpw

输出如下:

2022/03/09 00:44:20 [INFO] Created default configuration file at /usr/project/fabric-ca/org1-ca/org1-root-ca/fabric-ca-server-config.yaml
2022/03/09 00:44:20 [INFO] Server Version: 1.5.2
2022/03/09 00:44:20 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2022/03/09 00:44:20 [WARNING] &{69 The specified CA certificate file /usr/project/fabric-ca/org1-ca/org1-root-ca/ca-cert.pem does not exist}
2022/03/09 00:44:20 [INFO] generating key: &{A:ecdsa S:256}
2022/03/09 00:44:20 [INFO] encoded CSR
2022/03/09 00:44:20 [INFO] signed certificate with serial number 546254827741696287188172041494887425008823408464
2022/03/09 00:44:20 [INFO] The CA key and certificate were generated for CA 
2022/03/09 00:44:20 [INFO] The key was stored by BCCSP provider 'SW'
2022/03/09 00:44:20 [INFO] The certificate is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/ca-cert.pem
2022/03/09 00:44:21 [INFO] Initialized sqlite3 database at /usr/project/fabric-ca/org1-ca/org1-root-ca/fabric-ca-server.db
2022/03/09 00:44:21 [INFO] The issuer key was successfully stored. The public key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/IssuerPublicKey, secret key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore/IssuerSecretKey
2022/03/09 00:44:21 [INFO] Idemix issuer revocation public and secret keys were generated for CA ''
2022/03/09 00:44:21 [INFO] The revocation key was successfully stored. The public key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/IssuerRevocationPublicKey, private key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore/IssuerRevocationPrivateKey
2022/03/09 00:44:21 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/org1-root-ca
2022/03/09 00:44:21 [INFO] Initialization was successful

编辑 fabric-ca-server-config.yaml 文件:

#############################################################################
#   This is a configuration file for the fabric-ca-server command.
#
#   COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
#   ------------------------------------------------
#   Each configuration element can be overridden via command line
#   arguments or environment variables.  The precedence for determining
#   the value of each element is as follows:
#   1) command line argument
#      Examples:
#      a) --port 443
#         To set the listening port
#      b) --ca.keyfile ../mykey.pem
#         To set the "keyfile" element in the "ca" section below;
#         note the '.' separator character.
#   2) environment variable
#      Examples:
#      a) FABRIC_CA_SERVER_PORT=443
#         To set the listening port
#      b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
#         To set the "keyfile" element in the "ca" section below;
#         note the '_' separator character.
#   3) configuration file
#   4) default value (if there is one)
#      All default values are shown beside each element below.
#
#   FILE NAME ELEMENTS
#   ------------------
#   The value of all fields whose name ends with "file" or "files" are
#   name or names of other files.
#   For example, see "tls.certfile" and "tls.clientauth.certfiles".
#   The value of each of these fields can be a simple filename, a
#   relative path, or an absolute path.  If the value is not an
#   absolute path, it is interpreted as being relative to the location
#   of this configuration file.
#
#############################################################################

# Version of config file
version: 1.5.2

# Server's listening port (default: 7054)
port: 7055

# Cross-Origin Resource Sharing (CORS)
cors:
    enabled: false
    origins:
      - "*"

# Enables debug logging (default: false)
debug: true

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000

#############################################################################
#  TLS section for the server's listening port
#
#  The following types are supported for client authentication: NoClientCert,
#  RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
#  and RequireAndVerifyClientCert.
#
#  Certfiles is a list of root certificate authorities that the server uses
#  when verifying client certificates.
#############################################################################
tls:
  # Enable TLS (default: false)
  enabled: true
  # TLS for the server's listening port
  certfile: /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/signcerts/cert.pem
  keyfile: /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/keystore/key.pem
  clientauth:
    type: noclientcert
    certfiles:

#############################################################################
#  The CA section contains information related to the Certificate Authority
#  including the name of the CA, which should be unique for all members
#  of a blockchain network.  It also includes the key and certificate files
#  used when issuing enrollment certificates (ECerts).
#  The chainfile (if it exists) contains the certificate chain which
#  should be trusted for this CA, where the 1st in the chain is always the
#  root CA certificate.
#############################################################################
ca:
  # Name of this CA
  name: org1-root-ca
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:
  # Ignore Certificate Expiration in the case of re-enroll
  reenrollIgnoreCertExpiry: false

#############################################################################
#  The gencrl REST endpoint is used to generate a CRL that contains revoked
#  certificates. This section contains configuration options that are used
#  during gencrl request processing.
#############################################################################
crl:
  # Specifies expiration for the generated CRL. The number of hours
  # specified by this property is added to the UTC time, the resulting time
  # is used to set the 'Next Update' date of the CRL.
  expiry: 24h

#############################################################################
#  The registry section controls how the fabric-ca-server does two things:
#  1) authenticates enrollment requests which contain a username and password
#     (also known as an enrollment ID and secret).
#  2) once authenticated, retrieves the identity's attribute names and values.
#     These attributes are useful for making access control decisions in
#     chaincode.
#  There are two main configuration options:
#  1) The fabric-ca-server is the registry.
#     This is true if "ldap.enabled" in the ldap section below is false.
#  2) An LDAP server is the registry, in which case the fabric-ca-server
#     calls the LDAP server to perform these tasks.
#     This is true if "ldap.enabled" in the ldap section below is true,
#     which means this "registry" section is ignored.
#############################################################################
registry:
  # Maximum number of times a password/secret can be reused for enrollment
  # (default: -1, which means there is no limit)
  maxenrollments: -1

  # Contains identity information which is used when LDAP is disabled
  identities:
     - name: rootcaadmin
       pass: rootcaadminpw
       type: client
       affiliation: ""
       attrs:
          hf.Registrar.Roles: "*"
          hf.Registrar.DelegateRoles: "*"
          hf.Revoker: true
          hf.IntermediateCA: true
          hf.GenCRL: true
          hf.Registrar.Attributes: "*"
          hf.AffiliationMgr: true

#############################################################################
#  Database section
#  Supported types are: "sqlite3", "postgres", and "mysql".
#  The datasource value depends on the type.
#  If the type is "sqlite3", the datasource value is a file name to use
#  as the database store.  Since "sqlite3" is an embedded database, it
#  may not be used if you want to run the fabric-ca-server in a cluster.
#  To run the fabric-ca-server in a cluster, you must choose "postgres"
#  or "mysql".
#############################################################################
db:
  type: mysql
  datasource: root:root@tcp(192.168.2.54:3306)/fabric_org1_root_ca?parseTime=true
  tls:
      enabled: false
      certfiles:
      client:
        certfile:
        keyfile:

#############################################################################
#  LDAP section
#  If LDAP is enabled, the fabric-ca-server calls LDAP to:
#  1) authenticate enrollment ID and secret (i.e. username and password)
#     for enrollment requests;
#  2) To retrieve identity attributes
#############################################################################
ldap:
   # Enables or disables the LDAP client (default: false)
   # If this is set to true, the "registry" section is ignored.
   enabled: false
   # The URL of the LDAP server
   url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
   # TLS configuration for the client connection to the LDAP server
   tls:
      certfiles:
      client:
         certfile:
         keyfile:
   # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
   attribute:
      # 'names' is an array of strings containing the LDAP attribute names which are
      # requested from the LDAP server for an LDAP identity's entry
      names: ['uid','member']
      # The 'converters' section is used to convert an LDAP entry to the value of
      # a fabric CA attribute.
      # For example, the following converts an LDAP 'uid' attribute
      # whose value begins with 'revoker' to a fabric CA attribute
      # named "hf.Revoker" with a value of "true" (because the boolean expression
      # evaluates to true).
      #    converters:
      #       - name: hf.Revoker
      #         value: attr("uid") =~ "revoker*"
      converters:
         - name:
           value:
      # The 'maps' section contains named maps which may be referenced by the 'map'
      # function in the 'converters' section to map LDAP responses to arbitrary values.
      # For example, assume a user has an LDAP attribute named 'member' which has multiple
      # values which are each a distinguished name (i.e. a DN). For simplicity, assume the
      # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
      # Further assume the following configuration.
      #    converters:
      #       - name: hf.Registrar.Roles
      #         value: map(attr("member"),"groups")
      #    maps:
      #       groups:
      #          - name: dn1
      #            value: peer
      #          - name: dn2
      #            value: client
      # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
      # "peer,client,dn3".  This is because the value of 'attr("member")' is
      # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
      # "group" replaces "dn1" with "peer" and "dn2" with "client".
      maps:
         groups:
            - name:
              value:

#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
#   businessunit1:
#     department1:
#       - team1
#   businessunit2:
#     - department2
#     - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
   org1:
      - department1
      - department2
   org2:
      - department1

#############################################################################
#  Signing section
#
#  The "default" subsection is used to sign enrollment certificates;
#  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
#  The "ca" profile subsection is used to sign intermediate CA certificates;
#  the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
#  Note that "isca" is true, meaning that it issues a CA certificate.
#  A maxpathlen of 0 means that the intermediate CA cannot issue other
#  intermediate CA certificates, though it can still issue end entity certificates.
#  (See RFC 5280, section 4.2.1.9)
#
#  The "tls" profile subsection is used to sign TLS certificate requests;
#  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
    default:
      usage:
        - digital signature
      expiry: 8760h
    profiles:
      ca:
         usage:
           - cert sign
           - crl sign
         expiry: 43800h
         caconstraint:
           isca: true
           maxpathlen: 1
      tls:
         usage:
            - signing
            - key encipherment
            - server auth
            - client auth
            - key agreement
         expiry: 8760h

###########################################################################
#  Certificate Signing Request (CSR) section.
#  This controls the creation of the root CA certificate.
#  The expiration for the root CA certificate is configured with the
#  "ca.expiry" field below, whose default value is "131400h" which is
#  15 years in hours.
#  The pathlength field is used to limit CA certificate hierarchy as described
#  in section 4.2.1.9 of RFC 5280.
#  Examples:
#  1) No pathlength value means no limit is requested.
#  2) pathlength == 1 means a limit of 1 is requested which is the default for
#     a root CA.  This means the root CA can issue intermediate CA certificates,
#     but these intermediate CAs may not in turn issue other CA certificates
#     though they can still issue end entity certificates.
#  3) pathlength == 0 means a limit of 0 is requested;
#     this is the default for an intermediate CA, which means it can not issue
#     CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
   cn: fabric-org1-root-ca-server
   keyrequest:
     algo: ecdsa
     size: 256
   names:
      - C: US
        ST: "North Carolina"
        L:
        O: Hyperledger
        OU: Fabric
   hosts:
     - localhost.localdomain
     - localhost
     - rootca.org1.example.com
     - 192.168.0.105
   ca:
      expiry: 131400h
      pathlength: 1

###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
  # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
  # Idemix credential. The issuer will create a pool revocation handles of this specified size. When
  # a credential is requested, issuer will get handle from the pool and assign it to the credential.
  # Issuer will repopulate the pool with new handles when the last handle in the pool is used.
  # A revocation handle and credential revocation information (CRI) are used to create non revocation proof
  # by the prover to prove to the verifier that her credential is not revoked.
  rhpoolsize: 1000

  # The Idemix credential issuance is a two step process. First step is to  get a nonce from the issuer
  # and second step is send credential request that is constructed using the nonce to the isuser to
  # request a credential. This configuration property specifies expiration for the nonces. By default is
  # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
  nonceexpiration: 15s

  # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
  #  The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
  noncesweepinterval: 15m

#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
    default: SW
    sw:
        hash: SHA2
        security: 256
        filekeystore:
            # The directory used for the software file-based keystore
            keystore: msp/keystore

#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default.  This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs.  The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA.  Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################

cacount:

cafiles:

#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
#   1) A single server process may contain or function as one or more CAs.
#      This is configured by the "Multi CA section" above.
#   2) Each CA is either a root CA or an intermediate CA.
#   3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
#    url - The URL of the parent server
#    caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
#    profile - Name of the signing profile to use in issuing the certificate
#    label - Label to use in HSM operations
#
# tls section for secure socket connection
#   certfiles - PEM-encoded list of trusted root certificate files
#   client:
#     certfile - PEM-encoded certificate file for when client authentication
#     is enabled on server
#     keyfile - PEM-encoded key file for when client authentication
#     is enabled on server
#############################################################################
intermediate:
  parentserver:
    url:
    caname:

  enrollment:
    hosts:
    profile:
    label:

  tls:
    certfiles:
    client:
      certfile:
      keyfile:

#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
  identities:
    passwordattempts: 10

###############################################################################
#
#    Operations section
#
###############################################################################
operations:
    # host and port for the operations server
    listenAddress: 127.0.0.1:9446

    # TLS configuration for the operations endpoint
    tls:
        # TLS enabled
        enabled: false

        # path to PEM encoded server certificate for the operations server
        cert:
            file:

        # path to PEM encoded server key for the operations server
        key:
            file:

        # require client certificate authentication to access all resources
        clientAuthRequired: false

        # paths to PEM encoded ca certificates to trust for client authentication
        clientRootCAs:
            files: []

###############################################################################
#
#    Metrics section
#
###############################################################################
metrics:
    # statsd, prometheus, or disabled
    provider: disabled

    # statsd configuration
    statsd:
        # network type: tcp or udp
        network: udp

        # statsd server address
        address: 127.0.0.1:8125

        # the interval at which locally cached counters and gauges are pushed
        # to statsd; timings are pushed immediately
        writeInterval: 10s

        # prefix is prepended to all emitted statsd metrics
        prefix: server


在启动服务器之前,如果您修改csr了配置 .yaml 文件块中的任何值,则需要删除该 ca-cert.pem 文件和整个msp 文件夹。当您在下一步启动 CA 服务器时,这些证书将根据配置 .yaml 文件中的新设置重新生成。

启动 ca 服务:

nohup ./fabric-ca-server start > org1-root-ca.log 2>&1 &

查看日志输出如下:

2022/03/09 00:57:43 [DEBUG] Intializing nonce manager for issuer 'org1-root-ca'
2022/03/09 00:57:43 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/org1-root-ca
2022/03/09 00:57:43 [DEBUG] 1 CA instance(s) running on server
2022/03/09 00:57:43 [INFO] Operation Server Listening on 127.0.0.1:9446
2022/03/09 00:57:43 [DEBUG] TLS is enabled
2022/03/09 00:57:43 [DEBUG] TLS Certificate: /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/signcerts/cert.pem, TLS Key: /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/keystore/key.pem
2022/03/09 00:57:43 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[52 160 11 191 139 56 223 161 107 227 29 92 106 178 120 63 173 151 219 229 198 133 127 139 212 184 117 189 136 56 132 95]]: Key with SKI 34a00bbf8b38dfa16be31d5c6ab2783fad97dbe5c6857f8bd4b875bd8838845f not found in /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore
2022/03/09 00:57:43 [DEBUG] Attempting fallback with certfile /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/signcerts/cert.pem and keyfile /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/keystore/key.pem
2022/03/09 00:57:43 [DEBUG] Client authentication type requested: noclientcert
2022/03/09 00:57:43 [INFO] Listening on https://0.0.0.0:7055

登记组织根 CA 管理员:

./fabric-ca-client enroll -d -u https://rootcaadmin:rootcaadminpw@rootca.org1.example.com:7055 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --csr.hosts '192.168.0.105,*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/org1-root-ca/rootcaadmin/msp

(可选)向组织(根)CA 注册中间 CA 引导标识。

./fabric-ca-client register -d -u https://rootca.org1.example.com:7055 --id.name intcaadmin --id.secret intcaadmin  --id.attrs '"hf.Registrar.Roles=user,admin","hf.Revoker=true","hf.IntermediateCA=true"' --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/org1-root-ca/rootcaadmin/msp

部署 Org1 Intermediate CA

./fabric-ca-server init -b intcaadmin:intcaadminpw

编辑 fabric-ca-server-config.yaml:

#############################################################################
#   This is a configuration file for the fabric-ca-server command.
#
#   COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
#   ------------------------------------------------
#   Each configuration element can be overridden via command line
#   arguments or environment variables.  The precedence for determining
#   the value of each element is as follows:
#   1) command line argument
#      Examples:
#      a) --port 443
#         To set the listening port
#      b) --ca.keyfile ../mykey.pem
#         To set the "keyfile" element in the "ca" section below;
#         note the '.' separator character.
#   2) environment variable
#      Examples:
#      a) FABRIC_CA_SERVER_PORT=443
#         To set the listening port
#      b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
#         To set the "keyfile" element in the "ca" section below;
#         note the '_' separator character.
#   3) configuration file
#   4) default value (if there is one)
#      All default values are shown beside each element below.
#
#   FILE NAME ELEMENTS
#   ------------------
#   The value of all fields whose name ends with "file" or "files" are
#   name or names of other files.
#   For example, see "tls.certfile" and "tls.clientauth.certfiles".
#   The value of each of these fields can be a simple filename, a
#   relative path, or an absolute path.  If the value is not an
#   absolute path, it is interpreted as being relative to the location
#   of this configuration file.
#
#############################################################################

# Version of config file
version: 1.5.2

# Server's listening port (default: 7054)
port: 7056

# Cross-Origin Resource Sharing (CORS)
cors:
    enabled: false
    origins:
      - "*"

# Enables debug logging (default: false)
debug: true

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000

#############################################################################
#  TLS section for the server's listening port
#
#  The following types are supported for client authentication: NoClientCert,
#  RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
#  and RequireAndVerifyClientCert.
#
#  Certfiles is a list of root certificate authorities that the server uses
#  when verifying client certificates.
#############################################################################
tls:
  # Enable TLS (default: false)
  enabled: true
  # TLS for the server's listening port
  certfile: /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/signcerts/cert.pem
  keyfile: /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/keystore/key.pem
  clientauth:
    type: noclientcert
    certfiles:

#############################################################################
#  The CA section contains information related to the Certificate Authority
#  including the name of the CA, which should be unique for all members
#  of a blockchain network.  It also includes the key and certificate files
#  used when issuing enrollment certificates (ECerts).
#  The chainfile (if it exists) contains the certificate chain which
#  should be trusted for this CA, where the 1st in the chain is always the
#  root CA certificate.
#############################################################################
ca:
  # Name of this CA
  name: org1-int-ca
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:
  # Ignore Certificate Expiration in the case of re-enroll
  reenrollIgnoreCertExpiry: false

#############################################################################
#  The gencrl REST endpoint is used to generate a CRL that contains revoked
#  certificates. This section contains configuration options that are used
#  during gencrl request processing.
#############################################################################
crl:
  # Specifies expiration for the generated CRL. The number of hours
  # specified by this property is added to the UTC time, the resulting time
  # is used to set the 'Next Update' date of the CRL.
  expiry: 24h

#############################################################################
#  The registry section controls how the fabric-ca-server does two things:
#  1) authenticates enrollment requests which contain a username and password
#     (also known as an enrollment ID and secret).
#  2) once authenticated, retrieves the identity's attribute names and values.
#     These attributes are useful for making access control decisions in
#     chaincode.
#  There are two main configuration options:
#  1) The fabric-ca-server is the registry.
#     This is true if "ldap.enabled" in the ldap section below is false.
#  2) An LDAP server is the registry, in which case the fabric-ca-server
#     calls the LDAP server to perform these tasks.
#     This is true if "ldap.enabled" in the ldap section below is true,
#     which means this "registry" section is ignored.
#############################################################################
registry:
  # Maximum number of times a password/secret can be reused for enrollment
  # (default: -1, which means there is no limit)
  maxenrollments: -1

  # Contains identity information which is used when LDAP is disabled
  identities:
     - name: intcaadmin
       pass: intcaadminpw
       type: client
       affiliation: ""
       attrs:
          hf.Registrar.Roles: "*"
          hf.Registrar.DelegateRoles: "*"
          hf.Revoker: true
          hf.IntermediateCA: true
          hf.GenCRL: true
          hf.Registrar.Attributes: "*"
          hf.AffiliationMgr: true

#############################################################################
#  Database section
#  Supported types are: "sqlite3", "postgres", and "mysql".
#  The datasource value depends on the type.
#  If the type is "sqlite3", the datasource value is a file name to use
#  as the database store.  Since "sqlite3" is an embedded database, it
#  may not be used if you want to run the fabric-ca-server in a cluster.
#  To run the fabric-ca-server in a cluster, you must choose "postgres"
#  or "mysql".
#############################################################################
db:
  type: mysql
  datasource: root:root@tcp(192.168.2.54:3306)/fabric_org1_int_ca?parseTime=true
  tls:
      enabled: false
      certfiles:
      client:
        certfile:
        keyfile:

#############################################################################
#  LDAP section
#  If LDAP is enabled, the fabric-ca-server calls LDAP to:
#  1) authenticate enrollment ID and secret (i.e. username and password)
#     for enrollment requests;
#  2) To retrieve identity attributes
#############################################################################
ldap:
   # Enables or disables the LDAP client (default: false)
   # If this is set to true, the "registry" section is ignored.
   enabled: false
   # The URL of the LDAP server
   url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
   # TLS configuration for the client connection to the LDAP server
   tls:
      certfiles:
      client:
         certfile:
         keyfile:
   # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
   attribute:
      # 'names' is an array of strings containing the LDAP attribute names which are
      # requested from the LDAP server for an LDAP identity's entry
      names: ['uid','member']
      # The 'converters' section is used to convert an LDAP entry to the value of
      # a fabric CA attribute.
      # For example, the following converts an LDAP 'uid' attribute
      # whose value begins with 'revoker' to a fabric CA attribute
      # named "hf.Revoker" with a value of "true" (because the boolean expression
      # evaluates to true).
      #    converters:
      #       - name: hf.Revoker
      #         value: attr("uid") =~ "revoker*"
      converters:
         - name:
           value:
      # The 'maps' section contains named maps which may be referenced by the 'map'
      # function in the 'converters' section to map LDAP responses to arbitrary values.
      # For example, assume a user has an LDAP attribute named 'member' which has multiple
      # values which are each a distinguished name (i.e. a DN). For simplicity, assume the
      # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
      # Further assume the following configuration.
      #    converters:
      #       - name: hf.Registrar.Roles
      #         value: map(attr("member"),"groups")
      #    maps:
      #       groups:
      #          - name: dn1
      #            value: peer
      #          - name: dn2
      #            value: client
      # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
      # "peer,client,dn3".  This is because the value of 'attr("member")' is
      # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
      # "group" replaces "dn1" with "peer" and "dn2" with "client".
      maps:
         groups:
            - name:
              value:

#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
#   businessunit1:
#     department1:
#       - team1
#   businessunit2:
#     - department2
#     - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
   org1:
      - department1
      - department2
   org2:
      - department1

#############################################################################
#  Signing section
#
#  The "default" subsection is used to sign enrollment certificates;
#  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
#  The "ca" profile subsection is used to sign intermediate CA certificates;
#  the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
#  Note that "isca" is true, meaning that it issues a CA certificate.
#  A maxpathlen of 0 means that the intermediate CA cannot issue other
#  intermediate CA certificates, though it can still issue end entity certificates.
#  (See RFC 5280, section 4.2.1.9)
#
#  The "tls" profile subsection is used to sign TLS certificate requests;
#  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
    default:
      usage:
        - digital signature
      expiry: 8760h
    profiles:
      ca:
         usage:
           - cert sign
           - crl sign
         expiry: 43800h
         caconstraint:
           isca: true
           maxpathlen: 0
      tls:
         usage:
            - signing
            - key encipherment
            - server auth
            - client auth
            - key agreement
         expiry: 8760h

###########################################################################
#  Certificate Signing Request (CSR) section.
#  This controls the creation of the root CA certificate.
#  The expiration for the root CA certificate is configured with the
#  "ca.expiry" field below, whose default value is "131400h" which is
#  15 years in hours.
#  The pathlength field is used to limit CA certificate hierarchy as described
#  in section 4.2.1.9 of RFC 5280.
#  Examples:
#  1) No pathlength value means no limit is requested.
#  2) pathlength == 1 means a limit of 1 is requested which is the default for
#     a root CA.  This means the root CA can issue intermediate CA certificates,
#     but these intermediate CAs may not in turn issue other CA certificates
#     though they can still issue end entity certificates.
#  3) pathlength == 0 means a limit of 0 is requested;
#     this is the default for an intermediate CA, which means it can not issue
#     CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
   cn:
   keyrequest:
     algo: ecdsa
     size: 256
   names:
      - C: US
        ST: "North Carolina"
        L:
        O: Hyperledger
        OU: Fabric
   hosts:
     - localhost.localdomain
     - localhost
     - intca.org1.example.com
     - 192.168.0.105
   ca:
      expiry: 131400h
      pathlength: 0

###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
  # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
  # Idemix credential. The issuer will create a pool revocation handles of this specified size. When
  # a credential is requested, issuer will get handle from the pool and assign it to the credential.
  # Issuer will repopulate the pool with new handles when the last handle in the pool is used.
  # A revocation handle and credential revocation information (CRI) are used to create non revocation proof
  # by the prover to prove to the verifier that her credential is not revoked.
  rhpoolsize: 1000

  # The Idemix credential issuance is a two step process. First step is to  get a nonce from the issuer
  # and second step is send credential request that is constructed using the nonce to the isuser to
  # request a credential. This configuration property specifies expiration for the nonces. By default is
  # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
  nonceexpiration: 15s

  # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
  #  The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
  noncesweepinterval: 15m

#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
    default: SW
    sw:
        hash: SHA2
        security: 256
        filekeystore:
            # The directory used for the software file-based keystore
            keystore: msp/keystore

#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default.  This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs.  The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA.  Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################

cacount:

cafiles:

#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
#   1) A single server process may contain or function as one or more CAs.
#      This is configured by the "Multi CA section" above.
#   2) Each CA is either a root CA or an intermediate CA.
#   3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
#    url - The URL of the parent server
#    caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
#    profile - Name of the signing profile to use in issuing the certificate
#    label - Label to use in HSM operations
#
# tls section for secure socket connection
#   certfiles - PEM-encoded list of trusted root certificate files
#   client:
#     certfile - PEM-encoded certificate file for when client authentication
#     is enabled on server
#     keyfile - PEM-encoded key file for when client authentication
#     is enabled on server
#############################################################################
intermediate:
  parentserver: 
    url: https://rootcaadmin:rootcaadminpw@rootca.org1.example.com:7055
    caname: org1-root-ca

  enrollment:
    hosts: incat.org1.example.com
    profile: ca
    label:

  tls:
    certfiles: /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem
    client:
      certfile:
      keyfile:

#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
  identities:
    passwordattempts: 10

###############################################################################
#
#    Operations section
#
###############################################################################
operations:
    # host and port for the operations server
    listenAddress: 127.0.0.1:9443

    # TLS configuration for the operations endpoint
    tls:
        # TLS enabled
        enabled: false

        # path to PEM encoded server certificate for the operations server
        cert:
            file:

        # path to PEM encoded server key for the operations server
        key:
            file:

        # require client certificate authentication to access all resources
        clientAuthRequired: false

        # paths to PEM encoded ca certificates to trust for client authentication
        clientRootCAs:
            files: []

###############################################################################
#
#    Metrics section
#
###############################################################################
metrics:
    # statsd, prometheus, or disabled
    provider: disabled

    # statsd configuration
    statsd:
        # network type: tcp or udp
        network: udp

        # statsd server address
        address: 127.0.0.1:8125

        # the interval at which locally cached counters and gauges are pushed
        # to statsd; timings are pushed immediately
        writeInterval: 10s

        # prefix is prepended to all emitted statsd metrics
        prefix: server

启动 ca 服务:

nohup ./fabric-ca-server start > org1-int-ca.log 2>&1 &
展开阅读全文
加载中

作者的其它热门文章

打赏
0
1 收藏
分享
打赏
1 评论
1 收藏
0
分享
返回顶部
顶部