fabric-ca-server使用root CA和interm

fabric-ca-server使用root CA和intermediate CA

一个例子说明fabric-ca-server如何使用根CA和中间CA。

1. 启动根CA

$ fabric-ca-server start -b admin:adminpw -p 7054

假设根CA启动在端口7054.

2. 启动中间CA

fabric-ca-server start -b admin:adminpw -p 7064 -u http://admin:adminpw@localhost:7054

假设中间CA启动在端口7064.

参数-u表示启动的是一个中间CA，-u的值指定上级根CA的地址。

到这里，我们可以看到根CA和中间CA所生成的配置文件如下：

rootca
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
└── msp
    └── keystore
        └── 8bf83d802f3428e25e66c2131d4d09a428ed675b0bb5adf0b18757a03a653cbd_sk

immediateca
├── ca-cert.pem
├── ca-chain.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
└── msp
    ├── cacerts
    ├── keystore
    │   └── 9c669833b37097ec194fe16b68bb7e9a1b30ae36aa34ed7e81483032681f2043_sk
    └── signcerts

中间CA比根CA多了一个ca-chain.pem证书文件。我们打开文件intermediateca/ca-chain.pem看一下，其内容恰好包含两个证书(root CA和intermediate CA)内容，也就是证书链:

<content of intermediateca/ca-cert.pem>
<content of rootca/ca-cert.pem>

再看一下他们的验证关系：

$ openssl verify -verbose -CAfile rootca/ca-cert.pem intermediateca/ca-cert.pem 
immediateca/ca-cert.pem: OK
$ openssl verify -verbose -CAfile rootca/ca-cert.pem intermediateca/ca-chain.pem 
immediateca/ca-chain.pem: OK
$ openssl verify -verbose -CAfile intermediateca/ca-chain.pem intermediateca/ca-cert.pem
intermediate/ca-cert.pem: OK
$ openssl verify -verbose -CAfile intermediateca/ca-cert.pem intermediateca/ca-chain.pem
immediateca/ca-chain.pem: C = US, ST = North Carolina, O = Hyperledger, OU = client, CN = admin
error 20 at 0 depth lookup:unable to get local issuer certificate

我们可以看到root节点的根证书，可以验证intermediate节点的根证书；也就说验证了intermediate节点的根证书是由root节点签发的，他们形成证书链关系。

3. 向intermediate CA注册(register)和登记(enroll)用户

intermediate CA的服务端口是7064。

$ fabric-ca-client enroll --home admin --url http://admin:adminpw@localhost:7064
$ fabric-ca-client register --home admin --id.name tester --id.secret testpasswd --id.type user
$ fabric-ca-client enroll --home tester --url http://tester:testpasswd@localhost:7064

登记了一个名为tester的用户。

再来看tester用户的msp目录：

$ tree tester/msp
tester/msp
├── cacerts
│   └── localhost-7064.pem
├── intermediatecerts
│   └── localhost-7064.pem
├── keystore
│   └── b9d4aeed6a4c261e7fd183bafbe11b369414d4873875c885bac374f76fe25b70_sk
└── signcerts
    └── cert.pem

下面列举出来这些文件和root CA/intermediate CA的配置文件的相等关系：

msp/cacerts/localhost-7064.pem            ==   rootca/ca-cert.pem
msp/intermediatecerts/localhost-7064.pem  ==   intermediateca/ca-cert.pem

两点：

• msp的cacerts证书是root CA的根证书。
• msp的intermediatecerts证书是intermediate CA的根证书。

下面我们看用户的证书：msp/signcerts/cert.pem

$ openssl verify -verbose -CAfile ../../intermediateca/ca-chain.pem msp/signcerts/cert.pem

就是说用户的msp/signcerts/cert.pem证书，必须被intermediate CA的ca-chain.pem验证，因为后者包含了两个证书内容，即root CA和intermediate CA的证书，所以形成证书链验证。任何单个的CA证书(不管是root CA还是intermediate CA)都不能单独验证成功。

也可以分别指定root CA和intermediate CA的证书进行验证：

$ openssl verify -verbose \
  -CAfile msp/cacerts/localhost-7064.pem \
  -untrusted msp/intermediatecerts/localhost-7064.pem \
  msp/signcerts/cert.pem
msp/signcerts/cert.pem: OK