3. CA证书服务使用详解

CA证书服务设计链接:CA证书服务设计

3.1. 功能介绍

  1. 根据提供的信息生成公私钥和签发单个证书,并保存证书和密钥(root密钥不作保存,只生成文件)。

  2. 通过CSR文件签发单个证书,并保存证书。

  3. 可以延期某个具体证书的有效期。

  4. 可以通过证书链上的CA证书撤销某个证书。

  5. 能够生成CA证书的最新的撤销列表文件(CRL文件)。

  6. root证书可以选择配置或者自签生成。

  7. 可以配置不同的启动方式,用来区分tls和sign证书的签发。

  8. 可以签发单独使用的tls加密或者签名证书(国密标准,tls双证书)。

  9. 可以配置中间证书启动,保护root证书。

  10. 提供开启密钥文件加密功能。

3.2. 安装部署

3.2.1. 环境依赖

  • golang

    • 版本为1.16或以上

    • 下载地址:https://golang.org/dl/

3.2.2. 代码下载

$ git clone https://git.chainmaker.org.cn/chainmaker/chainmaker-ca.git

3.2.3. 运行启动

3.2.3.1. 修改mysql数据库连接配置

$ cd src/conf/

$ vi config.yaml  # 配置mysql数据库,打开config.yaml,修改db_config

3.2.3.2. 部署启动

  • 方式一:

    准备并启动mysql数据库

    mysql

    • 版本8.0及以上

    • 下载地址:https://dev.mysql.com/downloads/installer/

    编译chainmaker-ca程序

    $ cd src/
    $ go build -o chainmaker-ca
    

    启动程序

    $ cd src/
    $ ./chainmaker-ca -config ./conf/config.yaml
    
  • 方式二:

    准备docker基础镜像

    mysql: 8.0, golang:1.16.2, centos:7.6.1810

    启动docker容器脚本

    $ sh deploy.sh
    

3.3. 配置文件详解

目录:src/conf/config.yaml

配置文件主要是以下几部分构成:

3.3.1. base config

CA服务的基础配置

# Base config
base_config:
  server_port: 8090                     #服务端口
  ca_type: single_root                  #启动模式:double_root/single_root/tls/sign
  expire_year: 2                        #签发有效年限
  expire_month: 6                       #签发有效月份(优先级高于年限)
  hash_type: SHA256                     #使用哈希类型:SHA256/SHA3_256/SM3
  key_type: ECC_NISTP256                #使用密钥类型:ECC_NISTP256/SM2/RSA2048
  can_issue_ca: true                    #是否能继续签发CA证书          
  provide_service_for: [org1,org2]      #提供服务的组织列表(若不配置,则不限制组织)   
  key_encrypt: false                    #密钥是否加密 
  access_control: true                  #是否开启访问控制
  default_domain: chainmaker.org        #证书里的域名(如果不开启配置,则不会填写)

*

  • SM2和SM3必须要搭配使用

  • ca_type:

    CA启动模式,可以将tls和sign证书签发服务分离部署。

    • tls,该服务只提供为tls证书的签发服务。

    • sign,该服务只提供sign证书的签发服务。

    • single_root,可以为tls和sign证书同时提供签发服务,使用一个root CA证书。

    • double_root,可以为tls和sign证书同时提供签发服务,使用两个root CA证书。

  • can_issue_ca:

    在所提供服务的组织内,是否能够签发中间CA证书。

  • provide_service_for:

    对列表中的组织提供签发服务。可以仅配置一个组织,只为单个提供服务。也可以配置多个,向多个组织提供签发服务。如果不配置,则为任何组织服务。

  • key_encrypt:

    提供密钥文件加密的开关。如果开启,密钥会采用PEMCipherAES256加密方式,加密密钥文件。(root密钥不存储,也不加密)

  • access_control:

    访问控制开关,如果开启,访问将服务的所有接口需要携带token访问。

3.3.2. root config

root 证书的路径和CSR配置

# Root CA config
root_config:
  cert:
    -
      cert_type: tls                                             #root证书的类型:tls/sign
      cert_path: ../crypto-config/rootCA/tls/root-tls.crt        #证书的路径     
      private_key_path: ../crypto-config/rootCA/tls/root-tls.key #密钥的路径  
      key_id: SM2TlsKey261                                      #密码机pkcs11 key id
    -
      cert_type: sign
      cert_path: ../crypto-config/rootCA/sign/root-sign.crt               
      private_key_path: ../crypto-config/rootCA/sign/root-sign.key
      key_id: SM2SignKey262
  csr:
    CN: root.org-wx                                              #证书的信息的CN字段
    O: org-wx                                                    #证书的信息的O字段
    OU: root                                                     #证书的信息的OU字段
    country: CN                                                  #证书的信息的country字段
    locality: Beijing                                            #证书的信息的locality字段
    province: Beijing                                            #证书的信息的province字段
  • cert_type:

    证书的路径类型,如果CA的启动方式是double_root,需要同时配置tls和sign两种类型的证书路径。如果CA启动方式是single_root,需要配置sign类型的证书路径。

  • csr(选填):

    • 不填:读取cert目录下的root证书启动服务。

    • 填写:以CSR配置自签root证书启动服务。

    其中,OU字段需要符合chainmaker的证书校验规范,否则链上会校验失败。需要填写root。

3.3.3. intermediate_config

可选配置

中间CA的生成配置

# intermediate config
intermediate_config:                 
  -
    csr:
      CN: ca.org1
      O: org1
      OU: ca
      country: CN
      locality: Beijing
      province: Beijing
    key_id: SM2TlsKey261
  -
    csr:
      CN: ca.org2
      O: org2
      OU: ca
      country: CN
      locality: Beijing
      province: Beijing
    key_id: SM2TlsKey262

3.3.4. access_control_config

可选配置

访问控制账号配置

access_control_config:
  -
    app_role: admin            #角色
    app_id: admin              #账户ID
    app_key: passw0rd          #账户口令
  - 
    app_role: user
    app_id: user1
    app_key: passw0rd
  • app_role

    • admin : 所有权限

    • user :不能进行吊销、延期证书。只能申请,查询证书。

3.3.5. database config(MySQL)

数据库信息配置

db_config:
  user: root                   #用户名
  password: 123456             #密码
  ip: 127.0.0.1                #数据库服务器的IP地址
  port: 3306                   #数据库服务器的端口号
  dbname: chainmaker_ca        #建立的数据库的名称

3.3.6. log config

日志相关配置

log_config: 
  level: error               #日志等级
  filename: ../log/ca.log    #日志存取路径
  max_size: 1                #在进行切割之前,日志文件的最大大小(以MB为单位)
  max_age: 30                #保留旧文件的最大天数
  max_backups: 5             #保留旧文件的最大个数

3.3.7. pkcs11 config

硬件机密机相关配置

pkcs11_config:
  enabled: false                                   # pkcs11硬件加密开关。
  library: /usr/local/lib64/pkcs11/libupkcs11.so   # pkcs11连接库地址。
  label: HSM                                       # slot 标签
  password: 11111111                               # HSM token登录密码
  session_cache_size: 10                           # session 缓存大小
  hash: "SHA256"                                   # 哈希算法

3.4. 可部署方式

CA-deployment.png

3.4.1. 配置文件的使用

集中式1:

  1. 属于集中式部署,为多个组织提供服务,base_config.provide_service_for需要配置多个组织。

  2. 启用多个中间CA,intermediate_config需要配置多个。

  3. 不允许继续签发中间CA证书,base_config.can_issue_ca为false。

集中式2:

  1. 属于集中式部署,为多个组织提供服务,base_config.provide_service_for需要配置多个组织。

  2. 启用单个中间CA证书,intermediate_config需要配置一个。

  3. 不允许继续签发中间CA证书,base_config.can_issue_ca为false。

分布式1:

属于分布式和集中混合部署方式

  • 集中式部分

  1. 为多个组织提供服务,base_config.provide_service_for需要配置多个组织。

  2. 没有启用配置中间CA证书,intermediate_config不需要配置。

  3. 允许继续签发中间CA证书,base_config.can_issue_ca为ture。

  • 分布式部分:

  1. 为一个组织提供服务,base_config.provide_service_for需要配置单个组织。

  2. root证书选择配置启动,root_config.csr部分不需要配置。

  3. 没有启用配置中间CA证书,intermediate_config不需要配置。

  4. 不允许继续签发中间CA证书,base_config.can_issue_ca为false。

分布式2:

  1. 属于分布式部署,为单个组织提供服务,base_config.provide_service_for只需要配置一个组织。

  2. 启用配置一个中间CA证书,intermediate_config需要配置一个。

  3. 不允许继续签发中间CA证书,base_config.can_issue_ca为false。

3.5. 服务接口

3.5.1. Code与Msg

Code Msg 含义
200 The request service returned successfully 成功
202 Missing required parameters 输入参数缺失
204 There is an error in the input parameter 输入参数非法
500 An error occurred with the internal service 执行服务失败

3.5.2. 传参方式

统一为request body JSON的形式。

3.5.3. 登录获取token接口

请求地址:http://localhost:8090/api/ca/login

请求方式:POST

请求参数:

字段 类型 含义 备注
appId string 登录id 必填
appKey string 登录口令 必填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": {
        "accessToken": "1111111",
        "expiressIn": 7200
    }
}
字段 类型 含义
accessToken string token值
expiressIn number 过期时间(秒)

3.5.4. 申请证书

从创建密钥对到证书,一步完成。

请求URL:http://localhost:8090/api/ca/gencert

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 必填
userId string 用户ID *选填
userType string 用户类型 必填
certUsage string 证书用途 必填
privateKeyPwd string 密钥密码 选填
country string 证书字段(国家) 必填
locality string 证书字段(城市) 必填
province string 证书字段(省份) 必填
token string token 选填
  • userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common

  • certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc

*注:

  • userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": {
        "certSn": 4523845175273844671,
        "issueCertSn": 1146073575643658842,
        "cert": "-----BEGIN CERTIFICATE-----\nMIIChjCCAiugAwIBAgIIPsftN/MP778wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTI0MjdaFw0yMjA5\nMTQwOTI0MjdaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcxMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\nRB+oQkJscRI1emYcYGMHx1AU/f9bkMOuqSdNspv6LjvdEftlBOVO7mazi5J4Ve8l\nHb65jLfnG6fBMZ7a0v5Vo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIGUw1TBs0Tw0Ud3HH/80neNM\nBhFcJ4u2vlzMd59943M6MCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czEwCgYIKoZIzj0EAwID\nSQAwRgIhAPs+jzEu9H177kgyb3iFYM/LuIHNUaIsLnUAKZq9jW3NAiEA9iGP1sg3\nUXWIFW7mpRwzzakdJPkz8l+4ZPzV2nzEOjI=\n-----END CERTIFICATE-----\n",
        "privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIL2vmKiNl3hymnVvjkD3f9xrGAmvJCZEkGD4VwueObaPoAoGCCqGSM49\nAwEHoUQDQgAEOkQfqEJCbHESNXpmHGBjB8dQFP3/W5DDrqknTbKb+i473RH7ZQTl\nTu5ms4uSeFXvJR2+uYy35xunwTGe2tL+VQ==\n-----END EC PRIVATE KEY-----\n"
    }
}
字段 类型 含义 备注
cert string 证书内容
privateKey string 密钥内容
certSn number 证书序列号
issueCertSn number CA证书序列号

3.5.5. 申请CSR

请求URL: http://localhost:8090/api/ca/gencsr

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 必填
userId string 用户ID *选填
userType string 用户类型 必填
privateKeyPwd string 密钥密码 选填
country string 证书字段(国家) 必填
locality string 证书字段(城市) 必填
province string 证书字段(省份) 必填
token string token *选填
  • userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common

*注:

  • userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBHjCBxQIBADBjMQ4wDAYDVQQGEwVjaGluYTEQMA4GA1UECBMHYmVpamluZzEQ\nMA4GA1UEBxMHaGFpZGlhbjENMAsGA1UEChMEb3JnNzEOMAwGA1UECxMFYWRtaW4x\nDjAMBgNVBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaRv9OA2Z\nm/GcJibe/77u8lpABOLOVGgHzAzOd/h+9+Kq4+46CjXaISxEeTrqEMhLKCjcM1Bb\nm8jF5rWiQCFKFaAAMAoGCCqGSM49BAMCA0gAMEUCIFYjsphgIcInLjdhyYtILnFR\nJH7T/vahNbut8OvEgQ9tAiEAsNxL8xw+hGfhd9NgrxEx3Fv9Vj6wv1X3jaHvljME\n76U=\n-----END CERTIFICATE REQUEST-----\n"
}

3.5.6. 通过CSR申请证书

请求URL:http://localhost:8090/api/ca/gencertbycsr

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 必填
userId string 用户ID *选填
userType string 用户类型 必填
certUsage string 证书用途 必填
csr string csr文件流 必填
token string token 选填
  • userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common

  • certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc

*注:

  • userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": {
        "certSn": 1752004958408437983,
        "issueCertSn": 1146073575643658842,
        "cert": "-----BEGIN CERTIFICATE-----\nMIIChDCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMjA5\nMTQwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nRwAwRAIgQyvmQDV4WYUnDRmI8vkm5pXwxvACscJ5pCqjT60SFsUCIDkEK+uURJBJ\ndnzPNSF8HWcMBiNKbWeSZtZ3EtPWlyHp\n-----END CERTIFICATE-----\n"
    }
}
字段 类型 含义 备注
cert string 证书内容
certSn number 证书序列号
issueCertSn number CA证书序列号

3.5.7. 多条件查询证书

请求URL:http://localhost:8090/api/ca/querycerts

请求方式:POST

请求参数:

字段 类型 含义 备注
orgId string 组织ID 选填
userId string 用户ID 选填
userType string 用户类型 选填
certUsage string 证书用途 选填
certSn number 证书序列号 选填
token string token 选填
  • userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common

  • certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": [
        {
            "userId": "consensus1",
            "orgId": "org1",
            "userType": "consensus",
            "certUsage": "tls",
            "certSn": 4523845175273844671,
            "issuerSn": 1146073575643658842,
            "certContent": "-----BEGIN CERTIFICATE-----\nMIIChjCCAiugAwIBAgIIPsftN/MP778wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTI0MjdaFw0yMjA5\nMTQwOTI0MjdaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcxMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\nRB+oQkJscRI1emYcYGMHx1AU/f9bkMOuqSdNspv6LjvdEftlBOVO7mazi5J4Ve8l\nHb65jLfnG6fBMZ7a0v5Vo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIGUw1TBs0Tw0Ud3HH/80neNM\nBhFcJ4u2vlzMd59943M6MCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czEwCgYIKoZIzj0EAwID\nSQAwRgIhAPs+jzEu9H177kgyb3iFYM/LuIHNUaIsLnUAKZq9jW3NAiEA9iGP1sg3\nUXWIFW7mpRwzzakdJPkz8l+4ZPzV2nzEOjI=\n-----END CERTIFICATE-----\n",
            "expirationDate": 1663147467,
            "isRevoked": false
        },
        {
            "userId": "consensus2",
            "orgId": "org2",
            "userType": "consensus",
            "certUsage": "tls",
            "certSn": 1752004958408437983,
            "issuerSn": 1146073575643658842,
            "certContent": "-----BEGIN CERTIFICATE-----\nMIIChDCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMjA5\nMTQwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nRwAwRAIgQyvmQDV4WYUnDRmI8vkm5pXwxvACscJ5pCqjT60SFsUCIDkEK+uURJBJ\ndnzPNSF8HWcMBiNKbWeSZtZ3EtPWlyHp\n-----END CERTIFICATE-----\n",
            "expirationDate": 1663148026,
            "isRevoked": false
        }
    ]
}
字段 类型 含义 备注
certSn number 证书序列号
issuerSn number 签发者证书序列号
certContent string 证书内容
userId string 用户ID
orgId string 组织ID
userType string 用户类型
certUsage string 证书用途
expirationDate number 到期时间 unix时间戳
isRevoked boolean 是否被撤销

3.5.8. 延期证书

请求URL:http://localhost:8090/api/ca/renewcert

请求方式:POST

请求参数:

字段 类型 含义 备注
certSn number 证书序列号 必填
token string token 选填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": {
        "certSn": 1752004958408437983,
        "issueCertSn": 1146073575643658842,
        "cert": "-----BEGIN CERTIFICATE-----\nMIIChTCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMzAz\nMTMwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nSAAwRQIhAOdDmyl0xI3cAxahOXc5pe8RYvl4OquK8jco0E+eqU+LAiBlxgWg1CqW\nk4a1oJF+LK/e1cUXnctf/6NqJLycIElwkA==\n-----END CERTIFICATE-----\n"
    }
}

3.5.9. 撤销证书

请求URL:http://localhost:8090/api/ca/revokecert

请求方式:POST

请求参数:

字段 类型 含义 备注
revokedCertSn number 证书序列号 必填
issuerCertSn number 撤销者(ca)证书序列号 必填
reason string 撤销原因 选填
token string token 选填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": "-----BEGIN CRL-----\nMIIBNTCB3AIBATAKBggqhkjOPQQDAjBfMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH\nQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMEb3JnMTELMAkGA1UE\nCxMCY2ExEDAOBgNVBAMTB2NhLm9yZzgXDTIxMDYxMTA5NTQ0M1oXDTIxMDYxMTEw\nNTQ0M1owGzAZAggdEyilMlypBhcNMjMwNjExMDkxODA2WqAvMC0wKwYDVR0jBCQw\nIoAgyQvrO7BQev3fQxYIUIroQcF7HbmWFM/A7Ko2Etu9hCMwCgYIKoZIzj0EAwID\nSAAwRQIgFslGwq9Bb9a4wrOSatqRwRu9E0QMmCavrgr6GQRn5fcCIQDCV8mAepI9\nDLEbHtDHqzJ/CrGcRMJWL3gYzBNhWE/yLQ==\n-----END CRL-----\n"
}

3.5.10. 获取某个CA的最新的撤销列表

请求URL:http://localhost:8090/api/ca/gencrl

请求方式:POST

请求参数:

字段 类型 含义 备注
issuerCertSn number CA证书序列号 必填
token string token 选填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": "-----BEGIN CRL-----\nMIIBNTCB3AIBATAKBggqhkjOPQQDAjBfMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH\nQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMEb3JnMTELMAkGA1UE\nCxMCY2ExEDAOBgNVBAMTB2NhLm9yZzgXDTIxMDYxMTA5NTQ0M1oXDTIxMDYxMTEw\nNTQ0M1owGzAZAggdEyilMlypBhcNMjMwNjExMDkxODA2WqAvMC0wKwYDVR0jBCQw\nIoAgyQvrO7BQev3fQxYIUIroQcF7HbmWFM/A7Ko2Etu9hCMwCgYIKoZIzj0EAwID\nSAAwRQIgFslGwq9Bb9a4wrOSatqRwRu9E0QMmCavrgr6GQRn5fcCIQDCV8mAepI9\nDLEbHtDHqzJ/CrGcRMJWL3gYzBNhWE/yLQ==\n-----END CRL-----\n"
}

3.5.11. 获取节点TLS证书的NodeID

请求URL:http://localhost:8090/api/ca/getnodeid

请求方式:POST

请求参数:

条件查找方式:

字段 类型 含义 备注
orgId string 组织ID 必填
userId string 用户ID 必填
userType string 用户类型 必填
certUsage string 证书用途 必填
token string token 选填

序列号查找方式:

字段 类似 含义 备注
certSn number 证书序列号 必填
token string token 选填

返回数据:

{
    "code": 200,
    "msg": "The request service returned successfully",
    "data": "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
}

3.6. 使用案例

3.6.1. 案例一:使用已有组织的CA证书,颁发节点和用户证书

3.6.1.1. 环境准备

  • 已经成功启动的长安链

    详情启动流程见快速入门

  • CA服务的配置文件(示例)

# log config
log_config:
  level: info                                   # The log level                               
  filename: ../log/ca.log                       # The path to the log file            
  max_size: 1                                   # The maximum size of the log file before cutting (MB)
  max_age: 30                                   # The maximum number of days to retain old log files
  max_backups: 5                                # Maximum number of old log files to keep

# db config
db_config:
  user: root
  password: 123456
  ip: 127.0.0.1
  port: 13306
  dbname: chainmaker_ca

# Base config
base_config:
  server_port: 8090                                  # Server port configuration
  ca_type: single_root                               # Ca server type : double_root/single_root/tls/sign
#  expire_year: 2                                    # The expiration time of the certificate (year)
  expire_month: 6                                    # The expiration time of the certificate (month)(high level)
#  cert_valid_time : 2m                              # cert valid time (for testing use only)
  hash_type: SHA256                                  # SHA256/SHA3_256/SM3
  key_type: ECC_NISTP256                             # ECC_NISTP256/SM2
  can_issue_ca: false                                # Whether can continue to issue CA cert
#  provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org]      
                                                     # A list of organizations that provide services
  key_encrypt: false                                 # Whether the key is stored in encryption
  access_control: false                              # Whether to enable permission control
#  default_domain: chainmaker.org                    # the default value for sans in the certificate

pkcs11_config:
  enabled: false
  library: /usr/local/lib64/pkcs11/libupkcs11.so
  label: HSM
  password: 11111111
  session_cache_size: 10
  hash: "SHA256"

# Root CA config
root_config:
  cert:
    - cert_type: sign                                                  # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
      cert_path: ../crypto-config/rootCA/root.crt                      # Certificate file path
      private_key_path: ../crypto-config/rootCA/root.key               # private key file path    
      key_id: SM2SignKey261                                            # pkcs11 key id
  # csr:
  #   CN: root                
  #   O: org-root                         
  #   OU: root                         
  #   country: CN                      
  #   locality: Beijing                
  #   province: Beijing             

# access control config
access_control_config:
  - app_role: admin
    app_id: admin1
    app_key: passw0rd
  - app_role: user
    app_id: user1
    app_key: passw0rd

修改配置

# Root CA config
root_config:
  cert:
    - cert_type: sign                                                  # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
      cert_path: ../crypto-config/rootCA/root.crt                      # Certificate file path
      private_key_path: ../crypto-config/rootCA/root.key               # private key file path    
      key_id: SM2SignKey261                                            # pkcs11 key id
  # csr:
  #   CN: root                
  #   O: org-root                         
  #   OU: root                         
  #   country: CN                      
  #   locality: Beijing                
  #   province: Beijing   

需要修改:

  1. cert_path: 需将该路径下的证书文件替换成在链上已有组织的CA证书文件

    也可直接替换路径,但是要注意的是,如果采用docker方式启动的话,需要修改docker容器文件的映射路径,修改deploy.sh文件:

    -v $path/crypto-config:/crypto-config \
    

    $path/crypto-config目录替换

  2. private_key_path: 需将该路径下的密钥文件替换成在链上已有组织的CA密钥文件

    也可直接替换路径,但是要注意的是,如果采用docker方式启动的话,需要修改docker容器文件的映射路径,修改deploy.sh文件:

    -v $path/crypto-config:/crypto-config \
    

    $path/crypto-config目录替换

  3. csr: 需要注释掉,不再配置。(由于root CA是配置启动,不需要该部分信息去生成)

  4. intermediate_config:需要注释掉,不再配置。

  • 已经启动的CA服务

    详情启动流程见上文安装部署

3.6.1.2. 生成证书

调用上文中申请证书的接口

参数填写(以BodyJSON为例)

共识节点(consensus node)Sign证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

共识节点(consensus node)Tls证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

同步节点(common node)Sign证书

注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

同步节点(common node)Tls证书

注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户管理员(admin)Sign证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户管理员(admin)Tls证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户客户端(client)Sign证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "client1",
    "userType": "client",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户客户端(client)Tls证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "client1",
    "userType": "client",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

注:使用CA颁发的节点和用户证书时,需要将sdk配置文件中的tls_host_name,改成节点tls证书的userId

以组织1的共识节点为例:

  nodes:
    - # 节点地址,格式为:IP:端口:连接数
      node_addr: "127.0.0.1:12301"
      # 节点连接数
      conn_cnt: 10
      # RPC连接是否启用双向TLS认证
      enable_tls: true
      # 信任证书池路径
      trust_root_paths:
        - "./testdata/crypto-config/wx-org1.chainmaker.org/ca"
      # TLS hostname
      # tls_host_name: "chainmaker.org"
      #########################################
      tls_host_name: "org1.consensus1.com"
      #########################################

3.6.1.3. 获取节点TLS证书的NodeId

调用上文中获取节点TLS证书的NodeID的接口

参数填写(以BodyJSON为例)

获取共识节点(consensus node)Tls证书的NodeId

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls"
}

获取共识节点(common node)Tls证书的NodeId

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "tls"
}

bc1.ymlchainmaker.yml中的nodeId替换,配置文件修改位置如下:

  • bc1.yml

#共识配置
consensus:
  # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
  type: 1
  # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
  nodes:
    - org_id: "wx-org1.chainmaker.org"
      node_id:
        - "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
    - org_id: "wx-org2.chainmaker.org"
      node_id:
        - "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
    - org_id: "wx-org3.chainmaker.org"
      node_id:
        - "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
    - org_id: "wx-org4.chainmaker.org"
      node_id:
        - "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
  • chainmaker.yml

# Network Settings
net:
  # Network provider, can be libp2p or liquid.
  # libp2p: using libp2p components to build the p2p module.
  # liquid: a new p2p module we build from 0 to 1.
  # This item must be consistent across the blockchain network.
  provider: LibP2P

  # The address and port the node listens on.
  # By default, it uses 0.0.0.0 to listen on all network interfaces.
  listen_addr: /ip4/0.0.0.0/tcp/11301

  # Max stream of a connection.
  # peer_stream_pool_size: 100

  # Max number of peers the node can connect.
  # max_peer_count_allow: 20

  # The strategy for eliminating node when the count of connecting peers reach the max value.
  # It could be: 1 Random, 2 FIFO, 3 LIFO. The default strategy is LIFO.
  # peer_elimination_strategy: 3

  # The seeds peer list used to join in the network when starting.
  # The connection supervisor will try to dial seed peer whenever the connection is broken.
  # Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
  # Example dns format:"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
  seeds:
    - "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
    - "/ip4/127.0.0.1/tcp/11302/p2p/QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
    - "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
    - "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"

3.6.2. 案例二:使用CA生成全套的ChainMaker证书

3.6.2.1. 环境准备

  • 已经成功启动的长安链

    详情启动流程见快速入门

  • CA服务的配置文件(示例)

    # log config
    log_config:
      level: info                                   # The log level                               
      filename: ../log/ca.log                       # The path to the log file            
      max_size: 1                                   # The maximum size of the log file before cutting (MB)
      max_age: 30                                   # The maximum number of days to retain old log files
      max_backups: 5                                # Maximum number of old log files to keep
    
    # db config
    db_config:
      user: root
      password: 123456
      ip: 127.0.0.1
      port: 13306
      dbname: chainmaker_ca
    
    # Base config
    base_config:
      server_port: 8090                                  # Server port configuration
      ca_type: single_root                               # Ca server type : double_root/single_root/tls/sign
    #  expire_year: 2                                    # The expiration time of the certificate (year)
      expire_month: 6                                    # The expiration time of the certificate (month)(high level)
    #  cert_valid_time : 2m                              # cert valid time (for testing use only)
      hash_type: SHA256                                  # SHA256/SHA3_256/SM3
      key_type: ECC_NISTP256                             # ECC_NISTP256/SM2
      can_issue_ca: false                                # Whether can continue to issue CA cert
    #  provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org]      
                                                         # A list of organizations that provide services
      key_encrypt: false                                  # Whether the key is stored in encryption
      access_control: false                              # Whether to enable permission control
    #  default_domain: chainmaker.org                    # the default value for sans in the certificate
    
    pkcs11_config:
      enabled: false
      library: /usr/local/lib64/pkcs11/libupkcs11.so
      label: HSM
      password: 11111111
      session_cache_size: 10
      hash: "SHA256"
    
    # Root CA config
    root_config:
      cert:
        - cert_type: sign                                                  # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
          cert_path: ../crypto-config/rootCA/root.crt                      # Certificate file path
          private_key_path: ../crypto-config/rootCA/root.key               # private key file path    
          key_id: SM2SignKey261                                            # pkcs11 key id
      csr:
        CN: root                
        O: org-root                         
        OU: root                         
        country: CN                      
        locality: Beijing                
        province: Beijing             
    
    # intermediate config
    intermediate_config: 
      - csr:
          CN: ca-wx-org1.chainmaker.org                        
          O: wx-org1.chainmaker.org                        
          OU: ca                         
          country: CN                       
          locality: Beijing                
          province: Beijing            
        key_id: SM2SignKey6
    
      - csr:
          CN: ca-wx-org2.chainmaker.org                       
          O: wx-org2.chainmaker.org                     
          OU: ca                         
          country: CN                       
          locality: Beijing                
          province: Beijing            
        key_id: SM2SignKey249
    
      - csr:
          CN: ca-wx-org3.chainmaker.org                       
          O: wx-org3.chainmaker.org                    
          OU: ca                         
          country: CN                       
          locality: Beijing                
          province: Beijing            
        key_id: SM2SignKey257
    
      - csr:
          CN: ca-wx-org4.chainmaker.org                    
          O: wx-org4.chainmaker.org                    
          OU: ca                         
          country: CN                       
          locality: Beijing                
          province: Beijing            
        key_id: SM2SignKey260
    
    # access control config
    access_control_config:
      - app_role: admin
        app_id: admin1
        app_key: passw0rd
      - app_role: user
        app_id: user1
        app_key: passw0rd
    
  • 已经启动的CA服务

    详情启动流程见上文安装部署

3.6.2.2. 获取CA证书

由于以下配置部分,CA服务在启动时,就会生成相应的组织CA证书

intermediate_config: 
  - csr:
      CN: ca-wx-org1.chainmaker.org                        
      O: wx-org1.chainmaker.org                        
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey6

  - csr:
      CN: ca-wx-org2.chainmaker.org                       
      O: wx-org2.chainmaker.org                     
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey249
    
  - csr:
      CN: ca-wx-org3.chainmaker.org                       
      O: wx-org3.chainmaker.org                    
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey257

  - csr:
      CN: ca-wx-org4.chainmaker.org                    
      O: wx-org4.chainmaker.org                    
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey260

CA服务启动后,直接调用多条件查询证书,获取CA证书

参数填写(以BodyJSON为例)

获取org1的CA证书:

{
    "orgId": "wx-org1.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}

获取org2的CA证书:

{
    "orgId": "wx-org2.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}

获取org3的CA证书:

{
    "orgId": "wx-org3.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}

获取org4的CA证书:

{
    "orgId": "wx-org4.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}

注:获取的CA证书,需要在启动链时,将他们配置到链配置文件bc1.ymltrust_roots

3.6.2.3. 生成证书

调用上文中申请证书的接口userId

参数填写(以org1为例)

共识节点(consensus node)Sign证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

共识节点(consensus node)Tls证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

同步节点(common node)Sign证书

注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

同步节点(common node)Tls证书

注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户管理员(admin)Sign证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户管理员(admin)Tls证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户客户端(client)Sign证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "client1",
    "userType": "client",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

用户客户端(client)Tls证书

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "client1",
    "userType": "client",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}

注:使用CA颁发的节点和用户证书时,需要将sdk配置文件中的tls_host_name,改成节点tls证书的userId

以组织1的共识节点为例:

  nodes:
    - # 节点地址,格式为:IP:端口:连接数
      node_addr: "127.0.0.1:12301"
      # 节点连接数
      conn_cnt: 10
      # RPC连接是否启用双向TLS认证
      enable_tls: true
      # 信任证书池路径
      trust_root_paths:
        - "./testdata/crypto-config/wx-org1.chainmaker.org/ca"
      # TLS hostname
      # tls_host_name: "chainmaker.org"
      #########################################
      tls_host_name: "org1.consensus1.com"
      #########################################

3.6.2.4. 获取节点TLS证书的NodeId

调用上文中获取节点TLS证书的NodeID的接口

参数填写(以BodyJSON为例)

获取共识节点(consensus node)Tls证书的NodeId

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls"
}

获取同步节点(common node)Tls证书的NodeId

{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.common1.com",
    "userType": "common",
    "certUsage": "tls"
}

bc1.ymlchainmaker.yml中的nodeId替换,配置文件修改位置如下:

  • bc1.yml

#共识配置
consensus:
  # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
  type: 1
  # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
  nodes:
    - org_id: "wx-org1.chainmaker.org"
      node_id:
        - "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
    - org_id: "wx-org2.chainmaker.org"
      node_id:
        - "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
    - org_id: "wx-org3.chainmaker.org"
      node_id:
        - "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
    - org_id: "wx-org4.chainmaker.org"
      node_id:
        - "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
  • chainmaker.yml

# Network Settings
net:
  # Network provider, can be libp2p or liquid.
  # libp2p: using libp2p components to build the p2p module.
  # liquid: a new p2p module we build from 0 to 1.
  # This item must be consistent across the blockchain network.
  provider: LibP2P

  # The address and port the node listens on.
  # By default, it uses 0.0.0.0 to listen on all network interfaces.
  listen_addr: /ip4/0.0.0.0/tcp/11301

  # Max stream of a connection.
  # peer_stream_pool_size: 100

  # Max number of peers the node can connect.
  # max_peer_count_allow: 20

  # The strategy for eliminating node when the count of connecting peers reach the max value.
  # It could be: 1 Random, 2 FIFO, 3 LIFO. The default strategy is LIFO.
  # peer_elimination_strategy: 3

  # The seeds peer list used to join in the network when starting.
  # The connection supervisor will try to dial seed peer whenever the connection is broken.
  # Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
  # Example dns format:"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
  seeds:
    - "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
    - "/ip4/127.0.0.1/tcp/11302/p2p/QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
    - "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
    - "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"

重复以上步骤,依次生成org2,org3,org4的全部证书即可在链上使用。

3.7. 外部证书兼容配置手册

3.7.1. 证书准备

  • 外部证书

    如果需要使用第三方外部证书,即不是长安链CA(chainmaker-ca)和长安链证书生成工具(chainmaker-cryptogen)生成的X.509标准的数字证书,例如,由BJCA签发的证书,需要准备好第三方外部证书。

  • 内部证书

    需要准备由长安链CA或者长安链证书生成工具生成的节点TLS通讯证书。

    使用长安链CA参考:CA证书服务使用手册

    使用长安链证书生成工具参考:证书生成工具

3.7.2. 配置方法

主要支持两种配置方式

  1. 通过链配置文件写入genesis block。

  2. 通过发送配置更新交易,更新到链上。

  • 链配置文件方式

    该方式需要两步,首先更改链配置文件,其次更新节点或用户的证书配置。

    • 在bc.yml链配置文件中添加下面配置

    trust_members:
      - member_info: "../BJCA/consensus.sign.crt"
        org_id: "wx-org1.chainmaker.org"
        role: "consensus"
        node_id:  "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
      - member_info: "../BJCA/admin.sign.crt"
        org_id: "wx-org1.chainmaker.org"
        role: "admin"
        node_id:  ""
    
    1. member_info

      外部证书文件的路径

    2. org_id

      外部证书在链上的组织ID

    3. role

      外部证书在链上的角色。可填:admin/client/consensus

    4. node_id

      当使用的外部证书为consensus角色的签名证书时,需要将共识配置中的node_id(即该节点TLS证书的node_id)填写到此处。(其它情况可忽略该配置项)

      共识配置如下:

      #共识配置
      consensus:
        # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,10-POW)
        type: 1
        # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
        nodes:
          - org_id: "wx-org1.chainmaker.org"
            node_id:
              - "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
          - org_id: "wx-org2.chainmaker.org"
            node_id:
              - "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
      
    • 节点证书替换为外部证书的方法

      打开节点配置文件chainmaker.yml的node部分

      node:
        # 节点类型:full
        type:              full
        org_id:            {org_id}
        priv_key_file:     ../config/{org_path}/certs/{node_cert_path}.key
        cert_file:         ../config/{org_path}/certs/{node_cert_path}.crt
        signer_cache_size: 1000
        cert_cache_size:   1000
        pkcs11:
          enabled: false
          library:                # path to the so file of pkcs11 interface
          label:                  # label for the slot to be used
          password:               # password to logon the HSM
          session_cache_size: 10  # size of HSM session cache, default to 10
          hash: "SHA256"          # hash algorithm used to compute SKI
      
      1. priv_key_file 替换成外部证书的私钥文件路径

      2. cert_file 替换成外部证书的证书文件路径

  • 发送配置更新交易方式

    例如,使用cmc命令行工具操作

    • 增加外部信任成员信息

      ./cmc client chainconfig trustmember add \
      --sdk-conf-path=./testdata/sdk_config.yml \
      --org-id=wx-org1.chainmaker.org \
      --admin-crt-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.crt \
      --admin-key-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.key \
      --trust-member-org-id=wx-org2.chainmaker.org \
      --trust-member-path=./testdata/trust-member-demo/node1-sign.pem \
      --trust-member-role=consensus \
      --trust-member-node-id=QmYcfSHGiXjHKkHo65YfxWLT6G7B81Zct7F7ep8GWFtuUK
      

      参数说明

      1. trust-member-org-id 外部证书在链上的组织ID

      2. trust-member-path 外部证书文件的路径

      3. trust-member-role 外部证书在链上的角色

      4. trust-member-node-id 当使用的外部证书为consensus角色的签名证书时,需要将共识配置中的node_id配置到该位置。

    • 删除外部信任成员信息

      ./cmc client chainconfig trustmember remove \
      --sdk-conf-path=./testdata/sdk_config.yml \
      --org-id=wx-org1.chainmaker.org \
      --admin-crt-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.crt \
      --admin-key-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.key \
      --trust-member-path=./testdata/trust-member-demo/node1-sign.pem \
      

      参数说明

      1. trust-member-path 外部证书文件的路径

3.7.3. 示例

本示例基于链环境搭建的通过命令行工具启动链部分,来配置node1的签名证书为第三方外部证书。

  • 配置准备

    首先进入chainmaker-go目录

    将外部证书目录trust-member放到node1节点证书目录下

    $ cd build/config/node1/certs
    $ tree
    
    ├── ca
    │   ├── wx-org1.chainmaker.org
    │   │   └── ca.crt
    │   ├── wx-org2.chainmaker.org
    │   │   └── ca.crt
    │   ├── wx-org3.chainmaker.org
    │   │   └── ca.crt
    │   └── wx-org4.chainmaker.org
    │       └── ca.crt
    ├── node
    │   ├── common1
    │   │   ├── common1.nodeid
    │   │   ├── common1.sign.crt
    │   │   ├── common1.sign.key
    │   │   ├── common1.tls.crt
    │   │   └── common1.tls.key
    │   └── consensus1
    │       ├── consensus1.nodeid
    │       ├── consensus1.sign.crt
    │       ├── consensus1.sign.key
    │       ├── consensus1.tls.crt
    │       └── consensus1.tls.key
    ├── trust-member
    │   ├── trust-member.node1-sign.key
    │   └── trust-member.node1-sign.pem
    └── user
        ├── admin1
        │   ├── admin1.sign.crt
        │   ├── admin1.sign.key
        │   ├── admin1.tls.crt
        │   └── admin1.tls.key
        └── client1
            ├── client1.addr
            ├── client1.sign.crt
            ├── client1.sign.key
            ├── client1.tls.crt
            └── client1.tls.key
    

    然后其它节点需要将第三方证书放入证书目录。

    $ cd build/config
    $ tree
    
    ├── node1
    │   ├── certs
    │   │   ├── ca
    │   │   │   ├── wx-org1.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   ├── wx-org2.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   ├── wx-org3.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   └── wx-org4.chainmaker.org
    │   │   │       └── ca.crt
    │   │   ├── node
    │   │   │   ├── common1
    │   │   │   │   ├── common1.nodeid
    │   │   │   │   ├── common1.sign.crt
    │   │   │   │   ├── common1.sign.key
    │   │   │   │   ├── common1.tls.crt
    │   │   │   │   └── common1.tls.key
    │   │   │   └── consensus1
    │   │   │       ├── consensus1.nodeid
    │   │   │       ├── consensus1.sign.crt
    │   │   │       ├── consensus1.sign.key
    │   │   │       ├── consensus1.tls.crt
    │   │   │       └── consensus1.tls.key
    │   │   ├── trust-member
    │   │   │   ├── trust-member.node1-sign.key
    │   │   │   └── trust-member.node1-sign.pem
    │   │   └── user
    │   │       ├── admin1
    │   │       │   ├── admin1.sign.crt
    │   │       │   ├── admin1.sign.key
    │   │       │   ├── admin1.tls.crt
    │   │       │   └── admin1.tls.key
    │   │       └── client1
    │   │           ├── client1.addr
    │   │           ├── client1.sign.crt
    │   │           ├── client1.sign.key
    │   │           ├── client1.tls.crt
    │   │           └── client1.tls.key
    │   ├── chainconfig
    │   │   └── bc1.yml
    │   ├── chainmaker.yml
    │   └── log.yml
    ├── node2
    │   ├── certs
    │   │   ├── ca
    │   │   │   ├── wx-org1.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   ├── wx-org2.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   ├── wx-org3.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   └── wx-org4.chainmaker.org
    │   │   │       └── ca.crt
    │   │   ├── node
    │   │   │   ├── common1
    │   │   │   │   ├── common1.nodeid
    │   │   │   │   ├── common1.sign.crt
    │   │   │   │   ├── common1.sign.key
    │   │   │   │   ├── common1.tls.crt
    │   │   │   │   └── common1.tls.key
    │   │   │   └── consensus1
    │   │   │       ├── consensus1.nodeid
    │   │   │       ├── consensus1.sign.crt
    │   │   │       ├── consensus1.sign.key
    │   │   │       ├── consensus1.tls.crt
    │   │   │       └── consensus1.tls.key
    │   │   ├── trust-member
    │   │   │   └── trust-member.node1-sign.pem
    │   │   └── user
    │   │       ├── admin1
    │   │       │   ├── admin1.sign.crt
    │   │       │   ├── admin1.sign.key
    │   │       │   ├── admin1.tls.crt
    │   │       │   └── admin1.tls.key
    │   │       └── client1
    │   │           ├── client1.addr
    │   │           ├── client1.sign.crt
    │   │           ├── client1.sign.key
    │   │           ├── client1.tls.crt
    │   │           └── client1.tls.key
    │   ├── chainconfig
    │   │   └── bc1.yml
    │   ├── chainmaker.yml
    │   └── log.yml
    ├── node3
    │   ├── certs
    │   │   ├── ca
    │   │   │   ├── wx-org1.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   ├── wx-org2.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   ├── wx-org3.chainmaker.org
    │   │   │   │   └── ca.crt
    │   │   │   └── wx-org4.chainmaker.org
    │   │   │       └── ca.crt
    │   │   ├── node
    │   │   │   ├── common1
    │   │   │   │   ├── common1.nodeid
    │   │   │   │   ├── common1.sign.crt
    │   │   │   │   ├── common1.sign.key
    │   │   │   │   ├── common1.tls.crt
    │   │   │   │   └── common1.tls.key
    │   │   │   └── consensus1
    │   │   │       ├── consensus1.nodeid
    │   │   │       ├── consensus1.sign.crt
    │   │   │       ├── consensus1.sign.key
    │   │   │       ├── consensus1.tls.crt
    │   │   │       └── consensus1.tls.key
    │   │   ├── trust-member
    │   │   │   └── trust-member.node1-sign.pem
    │   │   └── user
    │   │       ├── admin1
    │   │       │   ├── admin1.sign.crt
    │   │       │   ├── admin1.sign.key
    │   │       │   ├── admin1.tls.crt
    │   │       │   └── admin1.tls.key
    │   │       └── client1
    │   │           ├── client1.addr
    │   │           ├── client1.sign.crt
    │   │           ├── client1.sign.key
    │   │           ├── client1.tls.crt
    │   │           └── client1.tls.key
    │   ├── chainconfig
    │   │   └── bc1.yml
    │   ├── chainmaker.yml
    │   └── log.yml
    └── node4
        ├── certs
        │   ├── ca
        │   │   ├── wx-org1.chainmaker.org
        │   │   │   └── ca.crt
        │   │   ├── wx-org2.chainmaker.org
        │   │   │   └── ca.crt
        │   │   ├── wx-org3.chainmaker.org
        │   │   │   └── ca.crt
        │   │   └── wx-org4.chainmaker.org
        │   │       └── ca.crt
        │   ├── node
        │   │   ├── common1
        │   │   │   ├── common1.nodeid
        │   │   │   ├── common1.sign.crt
        │   │   │   ├── common1.sign.key
        │   │   │   ├── common1.tls.crt
        │   │   │   └── common1.tls.key
        │   │   └── consensus1
        │   │       ├── consensus1.nodeid
        │   │       ├── consensus1.sign.crt
        │   │       ├── consensus1.sign.key
        │   │       ├── consensus1.tls.crt
        │   │       └── consensus1.tls.key
        │   ├── trust-member
        │   │   └── trust-member.node1-sign.pem
        │   └── user
        │       ├── admin1
        │       │   ├── admin1.sign.crt
        │       │   ├── admin1.sign.key
        │       │   ├── admin1.tls.crt
        │       │   └── admin1.tls.key
        │       └── client1
        │           ├── client1.addr
        │           ├── client1.sign.crt
        │           ├── client1.sign.key
        │           ├── client1.tls.crt
        │           └── client1.tls.key
        ├── chainconfig
        │   └── bc1.yml
        ├── chainmaker.yml
        └── log.yml
    

    node1链配置bc1.yml

    chain_id: chain1        # 链标识
    version: v2.0.0         # 链版本
    sequence: 1             # 配置版本
    auth_type: "identity"   # 认证类型
    
    crypto:
      hash: SHA256
    
    # 合约支持类型的配置
    contract:
      enable_sql_support: false # 合约是否支持sql,此处若为true,则chainmaker.yml中则需配置storage.statedb_config.provider=sql,否则无法启动
    
    # 交易、区块相关配置
    block:
      tx_timestamp_verify: true # 是否需要开启交易时间戳校验
      tx_timeout: 600  # 交易时间戳的过期时间(秒)
      block_tx_capacity: 100  # 区块中最大交易数
      block_size: 10  # 区块最大限制,单位MB
      block_interval: 2000 # 出块间隔,单位:ms
    
    # core模块
    core:
      tx_scheduler_timeout: 10 #  [0, 60] 交易调度器从交易池拿到交易后, 进行调度的时间
      tx_scheduler_validate_timeout: 10 # [0, 60] 交易调度器从区块中拿到交易后, 进行验证的超时时间
    
    # snapshot module
    snapshot:
      enable_evidence: false # enable the evidence support
    
    # scheduler module
    scheduler:
      enable_evidence: false # enable the evidence support
    
    #共识配置
    consensus:
      # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,5-DPOS,10-POW)
      type: 1
      # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
      # 其中node_id为chainmaker.yml中 node.cert_file证书对应的nodeid
      nodes:
        - org_id: "wx-org1.chainmaker.org"
          node_id:
            - "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
        - org_id: "wx-org2.chainmaker.org"
          node_id:
            - "QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS"
        - org_id: "wx-org3.chainmaker.org"
          node_id:
            - "QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW"
        - org_id: "wx-org4.chainmaker.org"
          node_id:
            - "QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ"
    
      ext_config: # 扩展字段,记录难度、奖励等其他类共识算法配置
        - key: aa
          value: chain01_ext11
      dpos_config: # DPoS
        #ERC20合约配置
        - key: erc20.total
          value: "{erc20_total}"
        - key: erc20.owner
          value: "{org1_peeraddr}"
        - key: erc20.decimals
          value: "18"
        - key: erc20.account:DPOS_STAKE
          value: "{erc20_total}"
        #Stake合约配置
        - key: stake.minSelfDelegation
          value: "2500000"
        - key: stake.epochValidatorNum
          value: "{epochValidatorNum}"
        - key: stake.epochBlockNum
          value: "10"
        - key: stake.completionUnbondingEpochNum
          value: "1"
        - key: stake.candidate:{org1_peeraddr}
          value: "2500000"
        - key: stake.candidate:{org2_peeraddr}
          value: "2500000"
        - key: stake.candidate:{org3_peeraddr}
          value: "2500000"
        - key: stake.candidate:{org4_peeraddr}
          value: "2500000"
    
        - key: stake.nodeID:{org1_peeraddr}
          value: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
        - key: stake.nodeID:{org2_peeraddr}
          value: "QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS"
        - key: stake.nodeID:{org3_peeraddr}
          value: "QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW"
        - key: stake.nodeID:{org4_peeraddr}
          value: "QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ"
    
    # 信任组织和根证书
    trust_roots:
      - org_id: "wx-org1.chainmaker.org"
        root:
          - "../config/wx-org1.chainmaker.org/certs/ca/wx-org1.chainmaker.org/ca.crt"
      - org_id: "wx-org2.chainmaker.org"
        root:
          - "../config/wx-org1.chainmaker.org/certs/ca/wx-org2.chainmaker.org/ca.crt"
      - org_id: "wx-org3.chainmaker.org"
        root:
          - "../config/wx-org1.chainmaker.org/certs/ca/wx-org3.chainmaker.org/ca.crt"
      - org_id: "wx-org4.chainmaker.org"
        root:
          - "../config/wx-org1.chainmaker.org/certs/ca/wx-org4.chainmaker.org/ca.crt"
    
    # 证书库
    trust_members:
      - member_info: "../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem"
        org_id: "wx-org1.chainmaker.org"
        role: "consensus"
        node_id:  "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
    
    # 权限配置(只能整体添加、修改、删除)
    resource_policies:
      - resource_name: CHAIN_CONFIG-NODE_ID_UPDATE
        policy:
          rule: SELF # 规则(ANY,MAJORITY...,全部大写,自动转大写)
          org_list: # 组织名称(组织名称,区分大小写)
          role_list: # 角色名称(role,自动转大写)
            - admin
      - resource_name: CHAIN_CONFIG-TRUST_ROOT_ADD
        policy:
          rule: MAJORITY
          org_list:
          role_list:
            - admin
      - resource_name: CHAIN_CONFIG-CERTS_FREEZE
        policy:
          rule: ANY
          org_list:
          role_list:
            - admin
    

    node2的链配置bc1.yml (仅显示trust_member部分,其它部分不变)

    trust_members:
      - member_info: "../config/wx-org2.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem"
        org_id: "wx-org1.chainmaker.org"
        role: "consensus"
        node_id:  "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
    

    node3的链配置bc1.yml (仅显示trust_member部分,其它部分不变)

    trust_members:
      - member_info: "../config/wx-org3.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem"
        org_id: "wx-org1.chainmaker.org"
        role: "consensus"
        node_id:  "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
    

    node4的链配置bc1.yml (仅显示trust_member部分,其它部分不变)

    trust_members:
      - member_info: "../config/wx-org4.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem"
        org_id: "wx-org1.chainmaker.org"
        role: "consensus"
        node_id:  "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
    

    node1的节点配置文件chainmaker.yml

    log:
      config_file: ../config/wx-org1.chainmaker.org/log.yml          # config file of logger configuration.
    
    blockchain:
      - chainId: chain1
        genesis: ../config/wx-org1.chainmaker.org/chainconfig/bc1.yml
    
    node:
      # 节点类型:full
      type:              full
      org_id:            wx-org1.chainmaker.org
    #  priv_key_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.sign.key
    #  cert_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.sign.crt
      priv_key_file: ../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.key
      cert_file: ../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem
      signer_cache_size: 1000
      cert_cache_size:   1000
      pkcs11:
        enabled: false
        library: # path to the so file of pkcs11 interface
        label: # label for the slot to be used
        password: # password to logon the HSM
        session_cache_size: 10 # size of HSM session cache, default to 10
        hash: "SHA256" # hash algorithm used to compute SKI
    
    net:
      provider: LibP2P
      listen_addr: /ip4/0.0.0.0/tcp/11301
      seeds:
        - "/ip4/127.0.0.1/tcp/11301/p2p/QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
        - "/ip4/127.0.0.1/tcp/11302/p2p/QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS"
        - "/ip4/127.0.0.1/tcp/11303/p2p/QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW"
        - "/ip4/127.0.0.1/tcp/11304/p2p/QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ"
    
      tls:
        enabled: true
        priv_key_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.key
        cert_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.crt
    
    
    txpool:
      max_txpool_size: 50000 # 普通交易池上限
      max_config_txpool_size: 10 # config交易池的上限
      full_notify_again_time: 30 # 交易池溢出后,再次通知的时间间隔(秒)
    #  pool_type: "batch"  # single/batch:single实时进入交易池,batch批量进入交易池
    #  batch_max_size: 30000 # 批次最大大小
    #  batch_create_timeout: 200 # 创建批次超时时间,单位毫秒
    
    rpc:
      provider: grpc
      port: 12301
      # 检查链配置TrustRoots证书变化时间间隔,单位:s,最小值为10s
      check_chain_conf_trust_roots_change_interval: 60
      ratelimit:
        # 每秒补充令牌数,取值:-1-不受限;0-默认值(10000)
        token_per_second: -1
        # 令牌桶大小,取值:-1-不受限;0-默认值(10000)
        token_bucket_size: -1
      subscriber:
        # 历史消息订阅流控,实时消息订阅不会进行流控
        ratelimit:
          # 每秒补充令牌数,取值:-1-不受限;0-默认值(1000)
          token_per_second: 100
          # 令牌桶大小,取值:-1-不受限;0-默认值(1000)
          token_bucket_size: 100
      tls:
        # TLS模式:
        #   disable - 不启用TLS
        #   oneway  - 单向认证
        #   twoway  - 双向认证
        #mode: disable
        #mode: oneway
        mode:           twoway
        priv_key_file:  ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.key
        cert_file:      ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.crt
    
    monitor:
      enabled: true
      port: 14321
    
    pprof:
      enabled: false
      port: 24321
    
    
    storage:
      store_path: ../data/wx-org1.chainmaker.org/ledgerData1
      # 最小的不允许归档的区块高度
      unarchive_block_height: 300000
      blockdb_config:
        provider: leveldb
        leveldb_config:
          store_path: ../data/wx-org1.chainmaker.org/blocks
      statedb_config:
        provider: leveldb # leveldb/sql 二选一
        leveldb_config: # leveldb config
          store_path: ../data/wx-org1.chainmaker.org/state
      #    sqldb_config: # sql config,只有provider为sql的时候才需要配置和启用这个配置
      #      sqldb_type: mysql           #具体的sql db类型,目前支持mysql,sqlite
      #      dsn: root:password@tcp(127.0.0.1:3306)/  #mysql的连接信息,包括用户名、密码、ip、port等,示例:root:admin@tcp(127.0.0.1:3306)/
      historydb_config:
        provider: leveldb
        leveldb_config:
          store_path: ../data/wx-org1.chainmaker.org/history
      resultdb_config:
        provider: leveldb
        leveldb_config:
          store_path: ../data/wx-org1.chainmaker.org/result
      disable_contract_eventdb: true  #是否禁止合约事件存储功能,默认为true,如果设置为false,需要配置mysql
      contract_eventdb_config:
        provider: sql                 #如果开启contract event db 功能,需要指定provider为sql
        sqldb_config:
          sqldb_type: mysql           #contract event db 只支持mysql
          dsn: root:password@tcp(127.0.0.1:3306)/  #mysql的连接信息,包括用户名、密码、ip、port等,示例:root:admin@tcp(127.0.0.1:3306)/
    core:
      evidence: false
    scheduler:
      rwset_log: false #whether log the txRWSet map in the debug mode
    
  • 链启动

    $ cd scripts
    $ ./build_release.sh
    $ ./cluster_quick_start.sh normal
    

    查看进程是否存在

    $ ps -ef|grep chainmaker | grep -v grep
    lxf       20816      1  8 15:34 pts/0    00:00:01 ./chainmaker start -c ../config/wx-org1.chainmaker.org/chainmaker.yml
    lxf       20835      1  8 15:34 pts/0    00:00:00 ./chainmaker start -c ../config/wx-org2.chainmaker.org/chainmaker.yml
    lxf       20855      1  9 15:34 pts/0    00:00:00 ./chainmaker start -c ../config/wx-org3.chainmaker.org/chainmaker.yml
    lxf       20874      1 10 15:34 pts/0    00:00:00 ./chainmaker start -c ../config/wx-org4.chainmaker.org/chainmaker.yml
    

    查看端口是否监听

     $ netstat -lptn | grep 1230
    tcp6       0      0 :::12301                :::*                    LISTEN      20816/./chainmaker  
    tcp6       0      0 :::12302                :::*                    LISTEN      20835/./chainmaker  
    tcp6       0      0 :::12303                :::*                    LISTEN      20855/./chainmaker  
    tcp6       0      0 :::12304                :::*                    LISTEN      20874/./chainmaker