chainmaker-ca

module
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2023 License: Apache-2.0

README

CA证书服务

功能介绍

  1. 根据提供的信息生成公私钥和签发单个证书,并保存证书和密钥(root密钥不作保存,只生成文件)。

  2. 通过CSR文件签发单个证书,并保存证书。

  3. 可以延期某个具体证书的有效期。

  4. 可以通过证书链上的CA证书撤销某个证书。

  5. 能够生成CA证书的最新的撤销列表文件(CRL文件)。

  6. root证书可以选择配置或者自签生成。

  7. 可以配置不同的启动方式,用来区分tls和sign证书的签发。

  8. 可以签发单独使用的tls加密或者签名证书(国密标准,tls双证书)。

  9. 可以配置中间证书启动,保护root证书。

  10. 提供开启密钥文件加密功能。

安装部署

环境依赖
代码下载
$ git clone https://git.chainmaker.org.cn/chainmaker/chainmaker-ca.git
运行启动
修改mysql数据库连接配置
$ cd src/conf/

$ vi config.yaml  # 配置mysql数据库,打开config.yaml,修改db_config
部署启动
  • 方式一:

    准备并启动mysql数据库

    mysql

    编译chainmaker-ca程序

    $ cd src/
    $ go build -o chainmaker-ca
    

    启动程序

    $ cd src/
    $ ./chainmaker-ca -config ./conf/config.yaml
    
  • 方式二:

    准备docker基础镜像

    mysql: 8.0, golang:1.16.2, centos:7.6.1810

    启动docker容器脚本

    $ sh deploy.sh
    

配置文件详解

目录:src/conf/config.yaml

配置文件主要是以下几部分构成:

base config

CA服务的基础配置

# Base config
base_config:
  server_port: 8090                     #服务端口
  ca_type: single_root                  #启动模式:double_root/single_root/tls/sign
  expire_year: 2                        #签发有效年限
  expire_month: 6                       #签发有效月份(优先级高于年限)
  hash_type: SHA256                     #使用哈希类型:SHA256/SHA3_256/SM3
  key_type: ECC_NISTP256                #使用密钥类型:ECC_NISTP256/SM2/RSA2048
  can_issue_ca: true                    #是否能继续签发CA证书          
  provide_service_for: [org1,org2]      #提供服务的组织列表(若不配置,则不限制组织)   
  key_encrypt: false                    #密钥是否加密 
  access_control: true                  #是否开启访问控制
  default_domain: chainmaker.org        #证书里的域名(如果不开启配置,则不会填写)

*

  • SM2和SM3必须要搭配使用

  • ca_type:

    CA启动模式,可以将tls和sign证书签发服务分离部署。

    • tls,该服务只提供为tls证书的签发服务。

    • sign,该服务只提供sign证书的签发服务。

    • single_root,可以为tls和sign证书同时提供签发服务,使用一个root CA证书。

    • double_root,可以为tls和sign证书同时提供签发服务,使用两个root CA证书。

  • can_issue_ca:

    在所提供服务的组织内,是否能够签发中间CA证书。

  • provide_service_for:

    对列表中的组织提供签发服务。可以仅配置一个组织,只为单个提供服务。也可以配置多个,向多个组织提供签发服务。如果不配置,则为任何组织服务。

  • key_encrypt:

    提供密钥文件加密的开关。如果开启,密钥会采用PEMCipherAES256加密方式,加密密钥文件。(root密钥不存储,也不加密)

  • access_control:

    访问控制开关,如果开启,访问将服务的所有接口需要携带token访问。

root config

root 证书的路径和CSR配置

# Root CA config
root_config:
  cert:
    -
      cert_type: tls                                             #root证书的类型:tls/sign
      cert_path: ../crypto-config/rootCA/tls/root-tls.crt        #证书的路径     
      private_key_path: ../crypto-config/rootCA/tls/root-tls.key #密钥的路径  
      key_id: SM2TlsKey261                                      #密码机pkcs11 key id
    -
      cert_type: sign
      cert_path: ../crypto-config/rootCA/sign/root-sign.crt               
      private_key_path: ../crypto-config/rootCA/sign/root-sign.key
      key_id: SM2SignKey262
  csr:
    CN: root.org-wx                                              #证书的信息的CN字段
    O: org-wx                                                    #证书的信息的O字段
    OU: root                                                     #证书的信息的OU字段
    country: CN                                                  #证书的信息的country字段
    locality: Beijing                                            #证书的信息的locality字段
    province: Beijing                                            #证书的信息的province字段
  • cert_type:

    证书的路径类型,如果CA的启动方式是double_root,需要同时配置tls和sign两种类型的证书路径。如果CA启动方式是single_root,需要配置sign类型的证书路径。

  • csr(选填):

    • 不填:读取cert目录下的root证书启动服务。

    • 填写:以CSR配置自签root证书启动服务。

    其中,OU字段需要符合chainmaker的证书校验规范,否则链上会校验失败。需要填写root。

intermediate_config

可选配置

中间CA的生成配置

# intermediate config
intermediate_config:                 
  -
    csr:
      CN: ca.org1
      O: org1
      OU: ca
      country: CN
      locality: Beijing
      province: Beijing
    key_id: SM2TlsKey261
  -
    csr:
      CN: ca.org2
      O: org2
      OU: ca
      country: CN
      locality: Beijing
      province: Beijing
    key_id: SM2TlsKey262
access_control_config

可选配置

访问控制账号配置

access_control_config:
  -
    app_role: admin            #角色
    app_id: admin              #账户ID
    app_key: passw0rd          #账户口令
  - 
    app_role: user
    app_id: user1
    app_key: passw0rd
  • app_role
    • admin : 所有权限
    • user :不能进行吊销、延期证书。只能申请,查询证书。
database config(MySQL)

数据库信息配置

db_config:
  user: root                   #用户名
  password: 123456             #密码
  ip: 127.0.0.1                #数据库服务器的IP地址
  port: 3306                   #数据库服务器的端口号
  dbname: chainmaker_ca        #建立的数据库的名称
log config

日志相关配置

log_config: 
  level: error               #日志等级
  filename: ../log/ca.log    #日志存取路径
  max_size: 1                #在进行切割之前,日志文件的最大大小(以MB为单位)
  max_age: 30                #保留旧文件的最大天数
  max_backups: 5             #保留旧文件的最大个数
pkcs11 config

硬件机密机相关配置

pkcs11_config:
  enabled: false                                   # pkcs11硬件加密开关。
  library: /usr/local/lib64/pkcs11/libupkcs11.so   # pkcs11连接库地址。
  label: HSM                                       # slot 标签
  password: 11111111                               # HSM token登录密码
  session_cache_size: 10                           # session 缓存大小
  hash: "SHA256"                                   # 哈希算法

可部署方式

CA-deployment.png

配置文件的使用

集中式1:

  1. 属于集中式部署,为多个组织提供服务,base_config.provide_service_for需要配置多个组织。

  2. 启用多个中间CA,intermediate_config需要配置多个。

  3. 不允许继续签发中间CA证书,base_config.can_issue_ca为false。

集中式2:

  1. 属于集中式部署,为多个组织提供服务,base_config.provide_service_for需要配置多个组织。

  2. 启用单个中间CA证书,intermediate_config需要配置一个。

  3. 不允许继续签发中间CA证书,base_config.can_issue_ca为false。

分布式1:

属于分布式和集中混合部署方式

  • 集中式部分
  1. 为多个组织提供服务,base_config.provide_service_for需要配置多个组织。

  2. 没有启用配置中间CA证书,intermediate_config不需要配置。

  3. 允许继续签发中间CA证书,base_config.can_issue_ca为ture。

  • 分布式部分:
  1. 为一个组织提供服务,base_config.provide_service_for需要配置单个组织。

  2. root证书选择配置启动,root_config.csr部分不需要配置。

  3. 没有启用配置中间CA证书,intermediate_config不需要配置。

  4. 不允许继续签发中间CA证书,base_config.can_issue_ca为false。

分布式2:

  1. 属于分布式部署,为单个组织提供服务,base_config.provide_service_for只需要配置一个组织。

  2. 启用配置一个中间CA证书,intermediate_config需要配置一个。

  3. 不允许继续签发中间CA证书,base_config.can_issue_ca为false。

服务接口

Code与Msg
Code Msg 含义
200 The request service returned successfully 成功
202 Missing required parameters 输入参数缺失
204 There is an error in the input parameter 输入参数非法
500 An error occurred with the internal service 执行服务失败
传参方式

统一为request body JSON的形式。

登录获取token接口

请求地址:http://localhost:8090/api/ca/login

请求方式:POST

请求参数:

字段 类型 含义 备注
appId string 登录id 必填
appKey string 登录口令 必填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": {
        "accessToken": "1111111",
        "expiressIn": 7200
    }
}
字段 类型 含义
accessToken string token值
expiressIn number 过期时间(秒)

申请证书

从创建密钥对到证书,一步完成。

请求URL:http://localhost:8090/api/ca/gencert

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 必填
userId string 用户ID *选填
userType string 用户类型 必填
certUsage string 证书用途 必填
privateKeyPwd string 密钥密码 选填
country string 证书字段(国家) 必填
locality string 证书字段(城市) 必填
province string 证书字段(省份) 必填
token string token 选填
  • userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common

  • certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc

*注:

  • userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": {
        "certSn": 4523845175273844671,
        "issueCertSn": 1146073575643658842,
        "cert": "-----BEGIN CERTIFICATE-----\nMIIChjCCAiugAwIBAgIIPsftN/MP778wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTI0MjdaFw0yMjA5\nMTQwOTI0MjdaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcxMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\nRB+oQkJscRI1emYcYGMHx1AU/f9bkMOuqSdNspv6LjvdEftlBOVO7mazi5J4Ve8l\nHb65jLfnG6fBMZ7a0v5Vo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIGUw1TBs0Tw0Ud3HH/80neNM\nBhFcJ4u2vlzMd59943M6MCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czEwCgYIKoZIzj0EAwID\nSQAwRgIhAPs+jzEu9H177kgyb3iFYM/LuIHNUaIsLnUAKZq9jW3NAiEA9iGP1sg3\nUXWIFW7mpRwzzakdJPkz8l+4ZPzV2nzEOjI=\n-----END CERTIFICATE-----\n",
        "privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIL2vmKiNl3hymnVvjkD3f9xrGAmvJCZEkGD4VwueObaPoAoGCCqGSM49\nAwEHoUQDQgAEOkQfqEJCbHESNXpmHGBjB8dQFP3/W5DDrqknTbKb+i473RH7ZQTl\nTu5ms4uSeFXvJR2+uYy35xunwTGe2tL+VQ==\n-----END EC PRIVATE KEY-----\n"
    }
}
字段 类型 含义 备注
cert string 证书内容
privateKey string 密钥内容
certSn number 证书序列号
issueCertSn number CA证书序列号
申请CSR

请求URL: http://localhost:8090/api/ca/gencsr

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 必填
userId string 用户ID *选填
userType string 用户类型 必填
privateKeyPwd string 密钥密码 选填
country string 证书字段(国家) 必填
locality string 证书字段(城市) 必填
province string 证书字段(省份) 必填
token string token *选填
  • userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common

*注:

  • userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBHjCBxQIBADBjMQ4wDAYDVQQGEwVjaGluYTEQMA4GA1UECBMHYmVpamluZzEQ\nMA4GA1UEBxMHaGFpZGlhbjENMAsGA1UEChMEb3JnNzEOMAwGA1UECxMFYWRtaW4x\nDjAMBgNVBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaRv9OA2Z\nm/GcJibe/77u8lpABOLOVGgHzAzOd/h+9+Kq4+46CjXaISxEeTrqEMhLKCjcM1Bb\nm8jF5rWiQCFKFaAAMAoGCCqGSM49BAMCA0gAMEUCIFYjsphgIcInLjdhyYtILnFR\nJH7T/vahNbut8OvEgQ9tAiEAsNxL8xw+hGfhd9NgrxEx3Fv9Vj6wv1X3jaHvljME\n76U=\n-----END CERTIFICATE REQUEST-----\n"
}
通过CSR申请证书

请求URL:http://localhost:8090/api/ca/gencertbycsr

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 必填
userId string 用户ID *选填
userType string 用户类型 必填
certUsage string 证书用途 必填
csr string csr文件流 必填
token string token 选填
  • userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
  • certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc

*注:

  • userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": {
        "certSn": 1752004958408437983,
        "issueCertSn": 1146073575643658842,
        "cert": "-----BEGIN CERTIFICATE-----\nMIIChDCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMjA5\nMTQwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nRwAwRAIgQyvmQDV4WYUnDRmI8vkm5pXwxvACscJ5pCqjT60SFsUCIDkEK+uURJBJ\ndnzPNSF8HWcMBiNKbWeSZtZ3EtPWlyHp\n-----END CERTIFICATE-----\n"
    }
}
字段 类型 含义 备注
cert string 证书内容
certSn number 证书序列号
issueCertSn number CA证书序列号

多条件查询证书

请求URL:http://localhost:8090/api/ca/querycerts

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 选填
userId string 用户ID 选填
userType string 用户类型 选填
certUsage string 证书用途 选填
certSn number 证书序列号 选填
token string token 选填
  • userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
  • certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": [
        {
            "userId": "consensus1",
            "orgId": "org1",
            "userType": "consensus",
            "certUsage": "tls",
            "certSn": 4523845175273844671,
            "issuerSn": 1146073575643658842,
            "certContent": "-----BEGIN CERTIFICATE-----\nMIIChjCCAiugAwIBAgIIPsftN/MP778wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTI0MjdaFw0yMjA5\nMTQwOTI0MjdaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcxMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\nRB+oQkJscRI1emYcYGMHx1AU/f9bkMOuqSdNspv6LjvdEftlBOVO7mazi5J4Ve8l\nHb65jLfnG6fBMZ7a0v5Vo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIGUw1TBs0Tw0Ud3HH/80neNM\nBhFcJ4u2vlzMd59943M6MCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czEwCgYIKoZIzj0EAwID\nSQAwRgIhAPs+jzEu9H177kgyb3iFYM/LuIHNUaIsLnUAKZq9jW3NAiEA9iGP1sg3\nUXWIFW7mpRwzzakdJPkz8l+4ZPzV2nzEOjI=\n-----END CERTIFICATE-----\n",
            "expirationDate": 1663147467,
            "isRevoked": false
        },
        {
            "userId": "consensus2",
            "orgId": "org2",
            "userType": "consensus",
            "certUsage": "tls",
            "certSn": 1752004958408437983,
            "issuerSn": 1146073575643658842,
            "certContent": "-----BEGIN CERTIFICATE-----\nMIIChDCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMjA5\nMTQwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nRwAwRAIgQyvmQDV4WYUnDRmI8vkm5pXwxvACscJ5pCqjT60SFsUCIDkEK+uURJBJ\ndnzPNSF8HWcMBiNKbWeSZtZ3EtPWlyHp\n-----END CERTIFICATE-----\n",
            "expirationDate": 1663148026,
            "isRevoked": false
        }
    ]
}
字段 类型 含义 备注
certSn number 证书序列号
issuerSn number 签发者证书序列号
certContent string 证书内容
userId string 用户ID
orgId string 组织ID
userType string 用户类型
certUsage string 证书用途
expirationDate number 到期时间 unix时间戳
isRevoked boolean 是否被撤销
延期证书

请求URL:http://localhost:8090/api/ca/renewcert

请求方式:POST

请求参数:

字段 类型 含义 备注
certSn number 证书序列号 必填
token string token 选填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": {
        "certSn": 1752004958408437983,
        "issueCertSn": 1146073575643658842,
        "cert": "-----BEGIN CERTIFICATE-----\nMIIChTCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMzAz\nMTMwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nSAAwRQIhAOdDmyl0xI3cAxahOXc5pe8RYvl4OquK8jco0E+eqU+LAiBlxgWg1CqW\nk4a1oJF+LK/e1cUXnctf/6NqJLycIElwkA==\n-----END CERTIFICATE-----\n"
    }
}
撤销证书

请求URL:http://localhost:8090/api/ca/revokecert

请求方式:POST

请求参数:

字段 类型 含义 备注
revokedCertSn number 证书序列号 必填
issuerCertSn number 撤销者(ca)证书序列号 必填
reason string 撤销原因 选填
token string token 选填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": "-----BEGIN CRL-----\nMIIBNTCB3AIBATAKBggqhkjOPQQDAjBfMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH\nQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMEb3JnMTELMAkGA1UE\nCxMCY2ExEDAOBgNVBAMTB2NhLm9yZzgXDTIxMDYxMTA5NTQ0M1oXDTIxMDYxMTEw\nNTQ0M1owGzAZAggdEyilMlypBhcNMjMwNjExMDkxODA2WqAvMC0wKwYDVR0jBCQw\nIoAgyQvrO7BQev3fQxYIUIroQcF7HbmWFM/A7Ko2Etu9hCMwCgYIKoZIzj0EAwID\nSAAwRQIgFslGwq9Bb9a4wrOSatqRwRu9E0QMmCavrgr6GQRn5fcCIQDCV8mAepI9\nDLEbHtDHqzJ/CrGcRMJWL3gYzBNhWE/yLQ==\n-----END CRL-----\n"
}
获取某个CA的最新的撤销列表

请求URL:http://localhost:8090/api/ca/gencrl

请求方式:POST

请求参数:

字段 类型 含义 备注
issuerCertSn number CA证书序列号 必填
token string token 选填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": "-----BEGIN CRL-----\nMIIBNTCB3AIBATAKBggqhkjOPQQDAjBfMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH\nQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMEb3JnMTELMAkGA1UE\nCxMCY2ExEDAOBgNVBAMTB2NhLm9yZzgXDTIxMDYxMTA5NTQ0M1oXDTIxMDYxMTEw\nNTQ0M1owGzAZAggdEyilMlypBhcNMjMwNjExMDkxODA2WqAvMC0wKwYDVR0jBCQw\nIoAgyQvrO7BQev3fQxYIUIroQcF7HbmWFM/A7Ko2Etu9hCMwCgYIKoZIzj0EAwID\nSAAwRQIgFslGwq9Bb9a4wrOSatqRwRu9E0QMmCavrgr6GQRn5fcCIQDCV8mAepI9\nDLEbHtDHqzJ/CrGcRMJWL3gYzBNhWE/yLQ==\n-----END CRL-----\n"
}

获取节点TLS证书的NodeID

请求URL:http://localhost:8090/api/ca/getnodeid

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 选填
userId string 用户ID 选填
userType string 用户类型 选填
certUsage string 证书用途 选填
certSn number 证书序列号 选填(精确查找)
token string token 选填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
}

使用案例

案例一:使用已有组织的CA证书,颁发节点和用户证书
环境准备
  • 已经成功启动的长安链

    详情启动流程见快速入门

  • CA服务的配置文件(示例)

# log config
log_config:
  level: info                                   # The log level                               
  filename: ../log/ca.log                       # The path to the log file            
  max_size: 1                                   # The maximum size of the log file before cutting (MB)
  max_age: 30                                   # The maximum number of days to retain old log files
  max_backups: 5                                # Maximum number of old log files to keep

# db config
db_config:
  user: root
  password: 123456
  ip: 127.0.0.1
  port: 13306
  dbname: chainmaker_ca

# Base config
base_config:
  server_port: 8090                                  # Server port configuration
  ca_type: single_root                               # Ca server type : double_root/single_root/tls/sign
#  expire_year: 2                                    # The expiration time of the certificate (year)
  expire_month: 6                                    # The expiration time of the certificate (month)(high level)
#  cert_valid_time : 2m                              # cert valid time (for testing use only)
  hash_type: SHA256                                  # SHA256/SHA3_256/SM3
  key_type: ECC_NISTP256                             # ECC_NISTP256/SM2
  can_issue_ca: false                                # Whether can continue to issue CA cert
#  provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org]      
                                                     # A list of organizations that provide services
  key_encrypt: false                                 # Whether the key is stored in encryption
  access_control: false                              # Whether to enable permission control
#  default_domain: chainmaker.org                    # the default value for sans in the certificate

pkcs11_config:
  enabled: false
  library: /usr/local/lib64/pkcs11/libupkcs11.so
  label: HSM
  password: 11111111
  session_cache_size: 10
  hash: "SHA256"

# Root CA config
root_config:
  cert:
    - cert_type: sign                                                  # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
      cert_path: ../crypto-config/rootCA/root.crt                      # Certificate file path
      private_key_path: ../crypto-config/rootCA/root.key               # private key file path    
      key_id: SM2SignKey261                                            # pkcs11 key id
  # csr:
  #   CN: root                
  #   O: org-root                         
  #   OU: root                         
  #   country: CN                      
  #   locality: Beijing                
  #   province: Beijing             

# access control config
access_control_config:
  - app_role: admin
    app_id: admin1
    app_key: passw0rd
  - app_role: user
    app_id: user1
    app_key: passw0rd

修改配置

# Root CA config
root_config:
  cert:
    - cert_type: sign                                                  # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
      cert_path: ../crypto-config/rootCA/root.crt                      # Certificate file path
      private_key_path: ../crypto-config/rootCA/root.key               # private key file path    
      key_id: SM2SignKey261                                            # pkcs11 key id
  # csr:
  #   CN: root                
  #   O: org-root                         
  #   OU: root                         
  #   country: CN                      
  #   locality: Beijing                
  #   province: Beijing   

需要修改:

  1. cert_path: 需将该路径下的证书文件替换成在链上已有组织的CA证书文件

    也可直接替换路径,但是要注意的是,如果采用docker方式启动的话,需要修改docker容器文件的映射路径,修改deploy.sh文件:

    -v $path/crypto-config:/crypto-config \
    

    $path/crypto-config目录替换

  2. private_key_path: 需将该路径下的密钥文件替换成在链上已有组织的CA密钥文件

    也可直接替换路径,但是要注意的是,如果采用docker方式启动的话,需要修改docker容器文件的映射路径,修改deploy.sh文件:

    -v $path/crypto-config:/crypto-config \
    

    $path/crypto-config目录替换

  3. csr: 需要注释掉,不再配置。(由于root CA是配置启动,不需要该部分信息去生成)

  • 已经启动的CA服务

    详情启动流程见上文安装部署

生成证书

调用上文中申请证书的接口

参数填写(以BodyJSON为例)

共识节点(consensus node)Sign证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

共识节点(consensus node)Tls证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

同步节点(common node)Sign证书

注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

同步节点(common node)Tls证书

注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户管理员(admin)Sign证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户管理员(admin)Tls证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户客户端(client)Sign证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "client1",
    "userType": "client",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户客户端(client)Tls证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "client1",
    "userType": "client",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

注:使用CA颁发的节点和用户证书时,需要将sdk配置文件中的tls_host_name,改成节点tls证书的userId

以组织1的共识节点为例:

  nodes:
    - # 节点地址,格式为:IP:端口:连接数
      node_addr: "127.0.0.1:12301"
      # 节点连接数
      conn_cnt: 10
      # RPC连接是否启用双向TLS认证
      enable_tls: true
      # 信任证书池路径
      trust_root_paths:
        - "./testdata/crypto-config/wx-org1.chainmaker.org/ca"
      # TLS hostname
      # tls_host_name: "chainmaker.org"
      #########################################
      tls_host_name: "org1.consensus1.com"
      #########################################
获取节点TLS证书的NodeId

调用上文中获取节点TLS证书的NodeID的接口

参数填写(以BodyJSON为例)

获取共识节点(consensus node)Tls证书的NodeId

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls"
}

获取共识节点(common node)Tls证书的NodeId

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "tls"
}

bc1.ymlchainmaker.yml中的nodeId替换,配置文件修改位置如下:

  • bc1.yml
#共识配置
consensus:
  # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
  type: 1
  # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
  nodes:
    - org_id: "wx-org1.chainmaker.org"
      node_id:
        - "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
    - org_id: "wx-org2.chainmaker.org"
      node_id:
        - "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
    - org_id: "wx-org3.chainmaker.org"
      node_id:
        - "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
    - org_id: "wx-org4.chainmaker.org"
      node_id:
        - "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
  • chainmaker.yml
# Network Settings
net:
  # Network provider, can be libp2p or liquid.
  # libp2p: using libp2p components to build the p2p module.
  # liquid: a new p2p module we build from 0 to 1.
  # This item must be consistent across the blockchain network.
  provider: LibP2P

  # The address and port the node listens on.
  # By default, it uses 0.0.0.0 to listen on all network interfaces.
  listen_addr: /ip4/0.0.0.0/tcp/11301

  # Max stream of a connection.
  # peer_stream_pool_size: 100

  # Max number of peers the node can connect.
  # max_peer_count_allow: 20

  # The strategy for eliminating node when the count of connecting peers reach the max value.
  # It could be: 1 Random, 2 FIFO, 3 LIFO. The default strategy is LIFO.
  # peer_elimination_strategy: 3

  # The seeds peer list used to join in the network when starting.
  # The connection supervisor will try to dial seed peer whenever the connection is broken.
  # Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
  # Example dns format:"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
  seeds:
    - "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
    - "/ip4/127.0.0.1/tcp/11302/p2p/QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
    - "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
    - "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
案例二:使用CA生成全套的ChainMaker证书
环境准备
  • 已经成功启动的长安链

    详情启动流程见快速入门

  • CA服务的配置文件(示例)

    # log config
    log_config:
      level: info                                   # The log level                               
      filename: ../log/ca.log                       # The path to the log file            
      max_size: 1                                   # The maximum size of the log file before cutting (MB)
      max_age: 30                                   # The maximum number of days to retain old log files
      max_backups: 5                                # Maximum number of old log files to keep
    
    # db config
    db_config:
      user: root
      password: 123456
      ip: 127.0.0.1
      port: 13306
      dbname: chainmaker_ca
    
    # Base config
    base_config:
      server_port: 8090                                  # Server port configuration
      ca_type: single_root                               # Ca server type : double_root/single_root/tls/sign
    #  expire_year: 2                                    # The expiration time of the certificate (year)
      expire_month: 6                                    # The expiration time of the certificate (month)(high level)
    #  cert_valid_time : 2m                              # cert valid time (for testing use only)
      hash_type: SHA256                                  # SHA256/SHA3_256/SM3
      key_type: ECC_NISTP256                             # ECC_NISTP256/SM2
      can_issue_ca: false                                # Whether can continue to issue CA cert
    #  provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org]      
                                                         # A list of organizations that provide services
      key_encrypt: false                                  # Whether the key is stored in encryption
      access_control: false                              # Whether to enable permission control
    #  default_domain: chainmaker.org                    # the default value for sans in the certificate
    
    pkcs11_config:
      enabled: false
      library: /usr/local/lib64/pkcs11/libupkcs11.so
      label: HSM
      password: 11111111
      session_cache_size: 10
      hash: "SHA256"
    
    # Root CA config
    root_config:
      cert:
        - cert_type: sign                                                  # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
          cert_path: ../crypto-config/rootCA/root.crt                      # Certificate file path
          private_key_path: ../crypto-config/rootCA/root.key               # private key file path    
          key_id: SM2SignKey261                                            # pkcs11 key id
      csr:
        CN: root                
        O: org-root                         
        OU: root                         
        country: CN                      
        locality: Beijing                
        province: Beijing             
    
    # intermediate config
    intermediate_config: 
      - csr:
          CN: ca-wx-org1.chainmaker.org                        
          O: wx-org1.chainmaker.org                        
          OU: ca                         
          country: CN                       
          locality: Beijing                
          province: Beijing            
        key_id: SM2SignKey6
    
      - csr:
          CN: ca-wx-org2.chainmaker.org                       
          O: wx-org2.chainmaker.org                     
          OU: ca                         
          country: CN                       
          locality: Beijing                
          province: Beijing            
        key_id: SM2SignKey249
    
      - csr:
          CN: ca-wx-org3.chainmaker.org                       
          O: wx-org3.chainmaker.org                    
          OU: ca                         
          country: CN                       
          locality: Beijing                
          province: Beijing            
        key_id: SM2SignKey257
    
      - csr:
          CN: ca-wx-org4.chainmaker.org                    
          O: wx-org4.chainmaker.org                    
          OU: ca                         
          country: CN                       
          locality: Beijing                
          province: Beijing            
        key_id: SM2SignKey260
    
    # access control config
    access_control_config:
      - app_role: admin
        app_id: admin1
        app_key: passw0rd
      - app_role: user
        app_id: user1
        app_key: passw0rd
    
  • 已经启动的CA服务

    详情启动流程见上文安装部署

获取CA证书

由于以下配置部分,CA服务在启动时,就会生成相应的组织CA证书

intermediate_config: 
  - csr:
      CN: ca-wx-org1.chainmaker.org                        
      O: wx-org1.chainmaker.org                        
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey6

  - csr:
      CN: ca-wx-org2.chainmaker.org                       
      O: wx-org2.chainmaker.org                     
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey249
    
  - csr:
      CN: ca-wx-org3.chainmaker.org                       
      O: wx-org3.chainmaker.org                    
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey257

  - csr:
      CN: ca-wx-org4.chainmaker.org                    
      O: wx-org4.chainmaker.org                    
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey260

CA服务启动后,直接调用多条件查询证书,获取CA证书

参数填写(以BodyJSON为例)

获取org1的CA证书:

{
    "orgId": "wx-org1.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}

获取org2的CA证书:

{
    "orgId": "wx-org2.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}

获取org3的CA证书:

{
    "orgId": "wx-org3.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}

获取org4的CA证书:

{
    "orgId": "wx-org4.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}

注:获取的CA证书,需要在启动链时,将他们配置到链配置文件bc1.ymltrust_roots

生成证书

调用上文中申请证书的接口userId

参数填写(以org1为例)

共识节点(consensus node)Sign证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

共识节点(consensus node)Tls证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

同步节点(common node)Sign证书

注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

同步节点(common node)Tls证书

注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户管理员(admin)Sign证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户管理员(admin)Tls证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户客户端(client)Sign证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "client1",
    "userType": "client",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户客户端(client)Tls证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "client1",
    "userType": "client",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

注:使用CA颁发的节点和用户证书时,需要将sdk配置文件中的tls_host_name,改成节点tls证书的userId

以组织1的共识节点为例:

  nodes:
    - # 节点地址,格式为:IP:端口:连接数
      node_addr: "127.0.0.1:12301"
      # 节点连接数
      conn_cnt: 10
      # RPC连接是否启用双向TLS认证
      enable_tls: true
      # 信任证书池路径
      trust_root_paths:
        - "./testdata/crypto-config/wx-org1.chainmaker.org/ca"
      # TLS hostname
      # tls_host_name: "chainmaker.org"
      #########################################
      tls_host_name: "org1.consensus1.com"
      #########################################
获取节点TLS证书的NodeId

调用上文中获取节点TLS证书的NodeID的接口

参数填写(以BodyJSON为例)

获取共识节点(consensus node)Tls证书的NodeId

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls"
}

获取同步节点(common node)Tls证书的NodeId

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "tls"
}

bc1.ymlchainmaker.yml中的nodeId替换,配置文件修改位置如下:

  • bc1.yml
#共识配置
consensus:
  # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
  type: 1
  # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
  nodes:
    - org_id: "wx-org1.chainmaker.org"
      node_id:
        - "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
    - org_id: "wx-org2.chainmaker.org"
      node_id:
        - "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
    - org_id: "wx-org3.chainmaker.org"
      node_id:
        - "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
    - org_id: "wx-org4.chainmaker.org"
      node_id:
        - "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
  • chainmaker.yml
# Network Settings
net:
  # Network provider, can be libp2p or liquid.
  # libp2p: using libp2p components to build the p2p module.
  # liquid: a new p2p module we build from 0 to 1.
  # This item must be consistent across the blockchain network.
  provider: LibP2P

  # The address and port the node listens on.
  # By default, it uses 0.0.0.0 to listen on all network interfaces.
  listen_addr: /ip4/0.0.0.0/tcp/11301

  # Max stream of a connection.
  # peer_stream_pool_size: 100

  # Max number of peers the node can connect.
  # max_peer_count_allow: 20

  # The strategy for eliminating node when the count of connecting peers reach the max value.
  # It could be: 1 Random, 2 FIFO, 3 LIFO. The default strategy is LIFO.
  # peer_elimination_strategy: 3

  # The seeds peer list used to join in the network when starting.
  # The connection supervisor will try to dial seed peer whenever the connection is broken.
  # Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
  # Example dns format:"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
  seeds:
    - "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
    - "/ip4/127.0.0.1/tcp/11302/p2p/QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
    - "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
    - "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"

重复以上步骤,依次生成org2,org3,org4的全部证书即可在链上使用。

Directories

Path Synopsis
src

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL