HyperLedger Fabric 1.2 生產環境使用ca生成msp和tls(12)
在上一章:Fabric kafka生產環境部署的基礎上部署Fabric CA,使用Fabric CA進行生成公私鑰和證書等檔案,全部替換cryptogen工具,包括生成TLS相關的私鑰和證書等檔案。 Fabric kafka生產環境部署有三個組織,分別為orderer(排序)組織和兩個Peer(節點)組織,對應的ID為example.com、org1.example.com和org2.example.com。為了讓生產環境Fabric CA具有擴充套件性和安全性,存在一個邏輯的根CA(RootCA)和三個中間CA(Intermedia CA),三個中間CA(Intermedia CA)都隸屬根CA(RootCA)。
根據生產環境CA網路拓撲圖,實現生產環境CA的部署及生成上一章:Fabric kafka生產環境部署所需要公私鑰、證書及TLS證書等檔案。生產環境CA部署到上一章:Fabric kafka生產環境部署的kafka3(192.168.235.6)伺服器上;由於四CA都在同一臺電腦,埠號不能使用同一個,對應的埠號如下表:
執行和配置步驟如下:
(一) CA服務啟動1. RootCA啟動1) 建立目錄
# cd $GOPATH/src/github.com/hyperledger/fabric-ca/bin # mkdir ca-server # cd ca-server
2) 初始化CA服務
# fabric-ca-server init -b admin:adminpw --home ./rootca
3) 啟動CA服務【命令列啟動】
# fabric-ca-server start -b admin:adminpw --home ./rootca --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker啟動】拷貝檔案docker-rootca.yml到ca-server目錄
# docker-compose -f docker-rootca.yaml up -d
2. IntermediaCA1啟動1) 初始化CA服務
# fabric-ca-server init -b admin1:adminpw1 -u http://admin:[email protected]:7054 --home ./intermediaca1 # vi ./intermediaca1/fabric-ca-server-config.yaml 修改 port: 7055
2) 啟動CA服務【命令列啟動】
# fabric-ca-server start -b admin1:adminpw1 -u http://admin:[email protected]:7054 --home ./intermediaca1 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker啟動】拷貝檔案docker-intermediaca1.yml到ca-server目錄
# docker-compose -f docker-intermediaca1.yaml up -d
3. IntermediaCAtls1啟動1) 初始化CA服務
# fabric-ca-server init -b admin1:adminpw1 -u http://admin:[email protected]:7054 --home ./intermediacatls1 # vi ./intermediacatls1/fabric-ca-server-config.yaml 修改 port: 8055
2) 啟動CA服務【命令列啟動】
# fabric-ca-server start -b admin1:adminpw1 -u http://admin:[email protected]:7054 --home ./intermediacatls1 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker啟動】拷貝檔案docker-intermediaca1.yml到ca-server目錄
# docker-compose -f docker-intermediacatls1.yaml up -d
4. IntermediaCA2啟動1) 初始化CA服務
# fabric-ca-server init -b admin2:adminpw2 -u http://admin:[email protected]:7054 --home ./intermediaca2 # vi ./intermediaca2/fabric-ca-server-config.yaml 修改 port:7056
2) 啟動CA服務【命令列啟動】
# fabric-ca-server start -b admin2:adminpw2 -u http://admin:[email protected]:7054 --home ./intermediaca2 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker啟動】拷貝檔案docker-intermediaca2.yml到ca-server目錄
# docker-compose -f docker-intermediaca2.yaml up -d
5. IntermediaCAtls2啟動1) 初始化CA服務
# fabric-ca-server init -b admin2:adminpw2 -u http://admin:[email protected]:7054 --home ./intermediacatls2 # vi ./intermediacatls2/fabric-ca-server-config.yaml 修改 port:8056
2) 啟動CA服務【命令列啟動】
# fabric-ca-server start -b admin2:adminpw2 -u http://admin:[email protected]:7054 --home ./intermediacatls2 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker啟動】拷貝檔案docker-intermediaca2.yml到ca-server目錄
# docker-compose -f docker-intermediacatls2.yaml up -d
6. IntermediaCA3啟動1) 初始化CA服務
# fabric-ca-server init -b admin3:adminpw3 -u http://admin:[email protected]:7054 --home ./intermediaca3 # vi ./intermediaca3/fabric-ca-server-config.yaml 修改 port: 7057
2) 啟動CA服務【命令列啟動】
# fabric-ca-server start -b admin3:adminpw3 -u http://admin:[email protected]:7054 --home ./intermediaca3 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker啟動】拷貝檔案docker-intermediaca3.yml到ca-server目錄
# docker-compose -f docker-intermediaca3.yaml up -d
7. IntermediaCAtls3啟動1) 初始化CA服務
# fabric-ca-server init -b admin3:adminpw3 -u http://admin:[email protected]:7054 --home ./intermediacatls3 # vi ./intermediacatls3/fabric-ca-server-config.yaml 修改 port: 8057
2) 啟動CA服務【命令列啟動】
# fabric-ca-server start -b admin3:adminpw3 -u http://admin:[email protected]:7054 --home ./intermediacatls3 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker啟動】拷貝檔案docker-intermediaca3.yml到ca-server目錄
# docker-compose -f docker-intermediacatls3.yaml up -d
(二) IntermediaCA1生成證書1. 生成example.com的msp1) 登記example.com
# cd /opt/gopath/src/github.com/hyperledger/fabric-ca/bin/ca-server # fabric-ca-client enroll -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client
2) 新增聯盟成員
# fabric-ca-client affiliation list -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client # fabric-ca-client affiliation remove --force org1 -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client # fabric-ca-client affiliation remove --force org2 -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client # fabric-ca-client affiliation add com -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client # fabric-ca-client affiliation add com.example -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]t:7055 --home ./fabric-ca-client
2. 生成[email protected]的msp1) 註冊[email protected]
# fabric-ca-client register --id.name [email protected] --id.type client --id.affiliation "com.example" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=example.com --csr.hosts=['example.com'] -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client
2) 登記[email protected]
# fabric-ca-client enroll -u http://[email protected]:[email protected]:7055 --csr.cn=example.com --csr.hosts=['example.com'] -M ./crypto-config/ordererOrganizations/example.com/users/[email protected]/msp --home ./fabric-ca-client
3) 生成msp
# mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/msp/admincerts # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/msp/admincerts # mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/msp/admincerts # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/msp/admincerts
3. 生成orderer0.example.com的msp和tls1) 註冊orderer0.example.com
# fabric-ca-client register --id.name orderer0.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer0.example.com --csr.hosts=['orderer0.example.com'] -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client
2) 登記orderer0.example.com
# fabric-ca-client enroll -u http://orderer0.example.com:[email protected]:7055 --csr.cn=orderer0.example.com --csr.hosts=['orderer0.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/msp --home ./fabric-ca-client
3) 生成msp
# mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/admincerts # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/admincerts
4. 生成orderer1.example.com的msp1) 註冊orderer1.example.com
# fabric-ca-client register --id.name orderer1.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer1.example.com --csr.hosts=['orderer1.example.com'] -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client
2) 登記orderer1.example.com
# fabric-ca-client enroll -u http://orderer1.example.com:[email protected]:7055 --csr.cn=orderer1.example.com --csr.hosts=['orderer1.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/msp --home ./fabric-ca-client
3) 生成msp
# mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/admincerts # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/admincerts
5. 生成orderer2.example.com的msp1) 註冊orderer2.example.com
# fabric-ca-client register --id.name orderer2.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer2.example.com --csr.hosts=['orderer2.example.com'] -M ./crypto-config/ordererOrganizations/example.com/msp -u http://admin1:[email protected]:7055 --home ./fabric-ca-client
2) 登記orderer2.example.com
# fabric-ca-client enroll -u http://orderer2.example.com:[email protected]:7055 --csr.cn=orderer2.example.com --csr.hosts=['orderer2.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/msp --home ./fabric-ca-client
3) 生成msp
# mkdir ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/admincerts # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/admincerts
(三) IntermediaCAtls1生成證書1. 生成example.com的msp1) 登記example.com
# cd /opt/gopath/src/github.com/hyperledger/fabric-ca/bin/ca-server # fabric-ca-client enroll -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client
2) 新增聯盟成員
# fabric-ca-client affiliation list -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client # fabric-ca-client affiliation remove --force org1 -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client # fabric-ca-client affiliation remove --force org2 -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client # fabric-ca-client affiliation add com -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client # fabric-ca-client affiliation add com.example -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client
2. 生成[email protected]的tls1) 註冊[email protected]
# fabric-ca-client register --id.name [email protected] --id.type client --id.affiliation "com.example" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=example.com --csr.hosts=['example.com'] -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client
2) 登記[email protected]
# fabric-ca-client enroll -d --enrollment.profile tls -u http://[email protected]:[email protected]:8055 --csr.cn=example.com --csr.hosts=['example.com'] -M ./crypto-config/ordererOrganizations/example.com/users/[email protected]/tls --home ./fabric-ca-client
3) 生成tls
# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/tls/tlsintermediatecerts/tls-localhost-8055.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/tls/ca.crt # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/tls/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/tls/client.crt # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/tls/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/users/[email protected]/tls/client.key
3. 生成orderer0.example.com的msp和tls1) 註冊orderer0.example.com
# fabric-ca-client register --id.name orderer0.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer0.example.com --csr.hosts=['orderer0.example.com'] -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client
2) 登記orderer0.example.com
# fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer0.example.com:[email protected]:8055 --csr.cn=orderer0.example.com --csr.hosts=['orderer0.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls --home ./fabric-ca-client
3) 生成tls
# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/tlsintermediatecerts/tls-localhost-8055.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/ca.crt # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.key
4. 生成orderer1.example.com的msp1) 註冊orderer1.example.com
# fabric-ca-client register --id.name orderer1.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer1.example.com --csr.hosts=['orderer1.example.com'] -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client
2) 登記orderer1.example.com
# fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer1.example.com:[email protected]:8055 --csr.cn=orderer1.example.com --csr.hosts=['orderer1.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls --home ./fabric-ca-client
3) 生成tls
# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/tlsintermediatecerts/tls-localhost-8055.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/ca.crt # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/server.crt # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/server.key
5. 生成orderer2.example.com的msp1) 註冊orderer2.example.com
# fabric-ca-client register --id.name orderer2.example.com --id.type orderer --id.affiliation "com.example" --id.attrs '"role=orderer",ecert=true' --id.secret=123456 --csr.cn=orderer2.example.com --csr.hosts=['orderer2.example.com'] -M ./crypto-config/ordererOrganizations/example.com/tls -u http://admin1:[email protected]:8055 --home ./fabric-ca-client
2) 登記orderer2.example.com
# fabric-ca-client enroll -d --enrollment.profile tls -u http://orderer2.example.com:[email protected]:8055 --csr.cn=orderer2.example.com --csr.hosts=['orderer2.example.com'] -M ./crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls --home ./fabric-ca-client
3) 生成tls
# cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlsintermediatecerts/tls-localhost-8055.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/ca.crt # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/signcerts/cert.pem ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt # cp ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.key
(四) IntermediaCA2生成證書1. 生成org1.example.com的msp1) 登記org1.example.com
# fabric-ca-client enroll --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client
2) 新增聯盟成員
# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client # fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client # fabric-ca-client affiliation remove --force org2 -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client # fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client # fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client # fabric-ca-client affiliation add com.example.org1 -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client
2. 生成[email protected]的msp1) 註冊[email protected]
# fabric-ca-client register --id.name [email protected] --id.type client --id.affiliation "com.example.org1" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client
2) 登記[email protected]
# fabric-ca-client enroll -u http://[email protected]:[email protected]:7056 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp --home ./fabric-ca-client
3) 生成msp
# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp/admincerts # cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp/admincerts # mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/msp/admincerts # cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/msp/admincerts
3. 生成peer0.org1.example.com的msp1) 註冊peer0.org1.example.com
# fabric-ca-client register --id.name peer0.org1.example.com --id.type peer --id.affiliation "com.example.org1" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org1.example.com --csr.hosts=['peer0.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client
2) 登記peer0.org1.example.com
# fabric-ca-client enroll -u http://peer0.org1.example.com:[email protected]:7056 --csr.cn=peer0.org1.example.com --csr.hosts=['peer0.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --home ./fabric-ca-client
3) 生成msp
# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/admincerts # cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/admincerts
4. 生成peer1.org1.example.com的msp1) 註冊peer1.org1.example.com
# fabric-ca-client register --id.name peer1.org1.example.com --id.type peer --id.affiliation "com.example.org1" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer1.org1.example.com --csr.hosts=['peer1.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/msp -u http://admin2:[email protected]:7056 --home ./fabric-ca-client
2) 登記peer1.org1.example.com
# fabric-ca-client enroll -u http://peer1.org1.example.com:[email protected]:7056 --csr.cn=peer1.org1.example.com --csr.hosts=['peer1.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp --home ./fabric-ca-client
3) 生成msp
# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp/admincerts # cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp/admincerts
(五) IntermediaCAtls2生成證書1. 生成org1.example.com的msp1) 登記org1.example.com
# fabric-ca-client enroll --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client
2) 新增聯盟成員
# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client # fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client # fabric-ca-client affiliation remove --force org2 -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client # fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client # fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client # fabric-ca-client affiliation add com.example.org1 -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client
2. 生成[email protected]的msp1) 註冊[email protected]
# fabric-ca-client register --id.name [email protected] --id.type client --id.affiliation "com.example.org1" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client
2) 登記[email protected]
# fabric-ca-client enroll -d --enrollment.profile tls -u http://[email protected]:[email protected]:8056 --csr.cn=org1.example.com --csr.hosts=['org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/users/[email protected]/tls --home ./fabric-ca-client
3) 生成tls
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/tls/tlsintermediatecerts/tls-localhost-8056.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/tls/ca.crt # cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/tls/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/tls/client.crt # cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/tls/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/tls/client.key
3. 生成peer0.org1.example.com的msp1) 註冊peer0.org1.example.com
# fabric-ca-client register --id.name peer0.org1.example.com --id.type peer --id.affiliation "com.example.org1" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org1.example.com --csr.hosts=['peer0.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/tls -u http://admin2:[email protected]:8056 --home ./fabric-ca-client
2) 登記peer0.org1.example.com
# fabric-ca-client enroll -d --enrollment.profile tls -u http://peer0.org1.example.com:[email protected]:8056 --csr.cn=peer0.org1.example.com --csr.hosts=['peer0.org1.example.com'] -M ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --home ./fabric-ca-client
3) 生成tls
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlsintermediatecerts/tls-localhost-8056.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt # cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt # cp ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
4. 生成peer1.org1.example.com的tls1) 註冊peer1.org1.example.com
# fabric-ca-client register --id.name peer1.org1.example.com --id.type peer --id.affiliation "