2. 基于CA服务搭建长安链

如果是测试体验长安链,可参考通过命令行体验长安链通过管理台体验长安链快速部署cert模式的长安链。

如果是正式环境使用,需要颁发证书给其他组织机构或者C端用户的,则需要部署长安链Ca服务并基于Ca服务搭建长安链。本章节我们将详细介绍如何通过CA服务搭建完整的长安链PermissionWithCert模式的账户体系,

本文示例说明:

  • 创建新链:4组织,1共识节点/每组织,1管理员/每组织

2.1. 启动CA服务

长安链Ca服务可用于签发证书,部署PermissionWithCert模式的长安链前,我们需要通过长安链CA签发出相关的证书文件。 长安链CA服务支持多种方式部署,环境准备请参考CA证书服务-安装部署,本文我们使用docker快速部署CA服务。

CA服务的配置文件config.yml(4组织示例)

# log config
log_config:
  level: info                                   # The log level                               
  filename: ../log/ca.log                       # The path to the log file            
  max_size: 1                                   # The maximum size of the log file before cutting (MB)
  max_age: 30                                   # The maximum number of days to retain old log files
  max_backups: 5                                # Maximum number of old log files to keep

# db config
db_config:
  user: root
  password: 123456
  ip: 127.0.0.1
  port: 13306
  dbname: chainmaker_ca

# Base config
base_config:
  server_port: 8090                                  # Server port configuration
  ca_type: single_root                               # Ca server type : double_root/single_root/tls/sign
#  expire_year: 2                                    # The expiration time of the certificate (year)
  expire_month: 6                                    # The expiration time of the certificate (month)(high level)
#  cert_valid_time : 2m                              # cert valid time (for testing use only)
  hash_type: SHA256                                  # SHA256/SHA3_256/SM3
  key_type: ECC_NISTP256                             # ECC_NISTP256/SM2
  can_issue_ca: false                                # Whether can continue to issue CA cert
#  provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org]      
                                                     # A list of organizations that provide services
  key_encrypt: false                                  # Whether the key is stored in encryption
  access_control: false                              # Whether to enable permission control
#  default_domain: chainmaker.org                    # the default value for sans in the certificate

pkcs11_config:
  enabled: false
  library: /usr/local/lib64/pkcs11/libupkcs11.so
  label: HSM
  password: 11111111
  session_cache_size: 10
  hash: "SHA256"

# Root CA config
root_config:
  cert:
    - cert_type: sign                                                  # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
      cert_path: ../crypto-config/rootCA/root.crt                      # Certificate file path
      private_key_path: ../crypto-config/rootCA/root.key               # private key file path    
      key_id: SM2SignKey261                                            # pkcs11 key id
  csr:
    CN: root                
    O: org-root                         
    OU: root                         
    country: CN                      
    locality: Beijing                
    province: Beijing             

# intermediate config
intermediate_config: 
  - csr:
      CN: ca-wx-org1.chainmaker.org                        
      O: wx-org1.chainmaker.org                        
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey6

  - csr:
      CN: ca-wx-org2.chainmaker.org                       
      O: wx-org2.chainmaker.org                     
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey249
    
  - csr:
      CN: ca-wx-org3.chainmaker.org                       
      O: wx-org3.chainmaker.org                    
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey257

  - csr:
      CN: ca-wx-org4.chainmaker.org                    
      O: wx-org4.chainmaker.org                    
      OU: ca                         
      country: CN                       
      locality: Beijing                
      province: Beijing            
    key_id: SM2SignKey260

# access control config
access_control_config:
  - app_role: admin
    app_id: admin1
    app_key: passw0rd
  - app_role: user
    app_id: user1
    app_key: passw0rd

docker方式启动服务

将以上config.yml配置文件拷贝到chainmaker-ca/src/conf/目录后,在项目主目录下运行./deploy.sh脚本。

  • 启动成功后,终端显示

2022-08-24T03:00:12.529492Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.30'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.
start ca services...
9a4fa1c7f3dcb37fdfe6ae2a434ebc91a4d21ec94364c929e0ed1199eef4903d
[env]:
env is empty, set default
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:	export GIN_MODE=release
 - using code:	gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /test                     --> main.main.func1 (3 handlers)
[GIN-debug] POST   /api/ca/login             --> chainmaker.org/chainmaker-ca/src/handlers.Login.func1 (3 handlers)
[GIN-debug] POST   /api/ca/gencertbycsr      --> chainmaker.org/chainmaker-ca/src/handlers.GenCertByCsr.func1 (3 handlers)
[GIN-debug] POST   /api/ca/gencert           --> chainmaker.org/chainmaker-ca/src/handlers.GenCert.func1 (3 handlers)
[GIN-debug] POST   /api/ca/querycerts        --> chainmaker.org/chainmaker-ca/src/handlers.QueryCerts.func1 (3 handlers)
[GIN-debug] POST   /api/ca/renewcert         --> chainmaker.org/chainmaker-ca/src/handlers.RenewCert.func1 (3 handlers)
[GIN-debug] POST   /api/ca/revokecert        --> chainmaker.org/chainmaker-ca/src/handlers.RevokeCert.func1 (3 handlers)
[GIN-debug] POST   /api/ca/gencrl            --> chainmaker.org/chainmaker-ca/src/handlers.GenCrl.func1 (3 handlers)
[GIN-debug] POST   /api/ca/gencsr            --> chainmaker.org/chainmaker-ca/src/handlers.GenCsr.func1 (3 handlers)
[GIN-debug] POST   /api/ca/getnodeid         --> chainmaker.org/chainmaker-ca/src/handlers.GetCertNodeId.func1 (3 handlers)
[GIN-debug] Listening and serving HTTP on :8090
chainmaker-ca server start!
  • 通过curl方式调用测试接口,显示成功

curl --location --request GET 'http://localhost:8096/test'
{"data":"Hello,World!","msg":"The request service returned successfully"}%

2.2. 基于CA服务生成证书账户

2.2.1. 生成组织证书

由于在CA配置文件中,我们配置了intermediate_config中间CA(每个中间CA代表一个组织),所以CA服务在启动时,会生成相应的组织CA证书。 以org1为例:

  • 获取组织org1的CA证书。

  chainmaker-ca-backend git:(develop)  curl --location --request POST 'http://localhost:8096/api/ca/querycerts' \
--header 'Content-Type: application/json' \
--data-raw '{
    "orgId": "wx-org1.chainmaker.org",
    "userType": "ca",
    "certUsage": "sign"
}' | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1299  100  1211  100    88  71235   5176 --:--:-- --:--:-- --:--:-- 76411
{
  "code": 200,
  "msg": "The request service returned successfully",
  "data": [
    {
      "userId": "ca-wx-org1.chainmaker.org",
      "orgId": "wx-org1.chainmaker.org",
      "userType": "ca",
      "certUsage": "sign",
      "certSn": 1696861425238169000,
      "issuerSn": 3682789430329868000,
      "certContent": "-----BEGIN CERTIFICATE-----\nMIICaDCCAg6gAwIBAgIIF4x2edRiVb8wCgYIKoZIzj0EAwIwYjELMAkGA1UEBhMC\nQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxETAPBgNVBAoT\nCG9yZy1yb290MQ0wCwYDVQQLEwRyb290MQ0wCwYDVQQDEwRyb290MB4XDTIyMDgy\nNDAyNTAyMVoXDTIzMDIyMDAyNTAyMVowgYMxCzAJBgNVBAYTAkNOMRAwDgYDVQQI\nEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQKExZ3eC1vcmcxLmNo\nYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZY2Etd3gtb3JnMS5j\naGFpbm1ha2VyLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJm8UUrxkzvL\nzB6u++UjdTvFhy9Fay1h+X7xVijPp8LeyAX70P5O4VGvik7j/yCHoJ0GE89pxH4B\nUIq6WnVTtDWjgYswgYgwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w\nKQYDVR0OBCIEIFQUtaMGHEYWLDGcfWBR0SQZjuWdI31bW7tCAyrplWpuMCsGA1Ud\nIwQkMCKAID2QQznj2uOhDBY0zQDZs0PsixvqNqTx5WLTT7JErCJMMA0GA1UdEQQG\nMASCAIIAMAoGCCqGSM49BAMCA0gAMEUCIFHIdvzax2/g183R6RU1S0jqRZNiKvrL\nLPzccecq0N/1AiEApW3sgl93X7iKYQmThST97ha9W06au4wCh74CNRzCVKc=\n-----END CERTIFICATE-----\n",
      "expirationDate": 1676861421,
      "isRevoked": false
    }
  ]
}

# 将返回的certContent保存为ca.key文件
echo -e "-----BEGIN CERTIFICATE-----\nMIICaDCCAg6gAwIBAgIIF4x2edRiVb8wCgYIKoZIzj0EAwIwYjELMAkGA1UEBhMC\nQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxETAPBgNVBAoT\nCG9yZy1yb290MQ0wCwYDVQQLEwRyb290MQ0wCwYDVQQDEwRyb290MB4XDTIyMDgy\nNDAyNTAyMVoXDTIzMDIyMDAyNTAyMVowgYMxCzAJBgNVBAYTAkNOMRAwDgYDVQQI\nEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQKExZ3eC1vcmcxLmNo\nYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZY2Etd3gtb3JnMS5j\naGFpbm1ha2VyLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJm8UUrxkzvL\nzB6u++UjdTvFhy9Fay1h+X7xVijPp8LeyAX70P5O4VGvik7j/yCHoJ0GE89pxH4B\nUIq6WnVTtDWjgYswgYgwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w\nKQYDVR0OBCIEIFQUtaMGHEYWLDGcfWBR0SQZjuWdI31bW7tCAyrplWpuMCsGA1Ud\nIwQkMCKAID2QQznj2uOhDBY0zQDZs0PsixvqNqTx5WLTT7JErCJMMA0GA1UdEQQG\nMASCAIIAMAoGCCqGSM49BAMCA0gAMEUCIFHIdvzax2/g183R6RU1S0jqRZNiKvrL\nLPzccecq0N/1AiEApW3sgl93X7iKYQmThST97ha9W06au4wCh74CNRzCVKc=\n-----END CERTIFICATE-----\n" > ca.crt
  • 查看组织org1的CA证书

$ openssl x509 -in ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1696861425238169023 (0x178c7679d46255bf)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, ST = Beijing, L = Beijing, O = org-root, OU = root, CN = root
        Validity
            Not Before: Aug 24 02:50:21 2022 GMT
            Not After : Feb 20 02:50:21 2023 GMT
        Subject: C = CN, ST = Beijing, L = Beijing, O = wx-org1.chainmaker.org, OU = ca, CN = ca-wx-org1.chainmaker.org
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:99:bc:51:4a:f1:93:3b:cb:cc:1e:ae:fb:e5:23:
                    75:3b:c5:87:2f:45:6b:2d:61:f9:7e:f1:56:28:cf:
                    a7:c2:de:c8:05:fb:d0:fe:4e:e1:51:af:8a:4e:e3:
                    ff:20:87:a0:9d:06:13:cf:69:c4:7e:01:50:8a:ba:
                    5a:75:53:b4:35
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                54:14:B5:A3:06:1C:46:16:2C:31:9C:7D:60:51:D1:24:19:8E:E5:9D:23:7D:5B:5B:BB:42:03:2A:E9:95:6A:6E
            X509v3 Authority Key Identifier:
                keyid:3D:90:43:39:E3:DA:E3:A1:0C:16:34:CD:00:D9:B3:43:EC:8B:1B:EA:36:A4:F1:E5:62:D3:4F:B2:44:AC:22:4C

            X509v3 Subject Alternative Name:
                DNS:, DNS:
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:51:c8:76:fc:da:c7:6f:e0:d7:cd:d1:e9:15:35:
         4b:48:ea:45:93:62:2a:fa:cb:2c:fc:dc:71:e7:2a:d0:df:f5:
         02:21:00:a5:6d:ec:82:5f:77:5f:b8:8a:61:09:93:85:24:fd:
         ee:16:bd:5b:4e:9a:bb:8c:02:87:be:02:35:1c:c2:54:a7

从证书Subject字段内容上我们可以看出,该证书代表组织wx-org1.chainmaker.org

分别指定不同的orgId获取wx-org2.chainmaker.orgwx-org3.chainmaker.orgwx-org4.chainmaker.org的根证书。

2.2.2. 生成节点证书

通过组织根CA签发共识节点证书,以org1为例:

  • 共识节点(consensus node)Sign证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

curl --location --request POST 'http://localhost:8096/api/ca/gencert' \
--header 'Content-Type: application/json' \
--data-raw '{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}'  | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1559  100  1352  100   207  26000   3980 --:--:-- --:--:-- --:--:-- 29980
{
  "code": 200,
  "msg": "The request service returned successfully",
  "data": {
    "certSn": 2694363940699227000,
    "issueCertSn": 1696861425238169000,
    "cert": "-----BEGIN CERTIFICATE-----\nMIICjTCCAjOgAwIBAgIIJWRNuoz/xNYwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjA4MjQwNDAzNTZaFw0yMzAy\nMjAwNDAzNTZaMIGEMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4G\nA1UEBxMHQmVpSmluZzEfMB0GA1UEChMWd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzES\nMBAGA1UECxMJY29uc2Vuc3VzMRwwGgYDVQQDExNvcmcxLmNvbnNlbnN1czEuY29t\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE63g+GfDmTKtuKn/Kv+0Z/gdwo7PB\nVioKfe3Om9NuQPklmn5fQju8KHBdEbCxvlsSsw1HjfLEuPyCUfsdCEVnuaOBjTCB\nijAOBgNVHQ8BAf8EBAMCBsAwKQYDVR0OBCIEICijhLeuc7ogfjdCOsVtypWmwWIn\n4pCUfuWuhIjFk3jAMCsGA1UdIwQkMCKAIFQUtaMGHEYWLDGcfWBR0SQZjuWdI31b\nW7tCAyrplWpuMCAGA1UdEQQZMBeCE29yZzEuY29uc2Vuc3VzMS5jb22CADAKBggq\nhkjOPQQDAgNIADBFAiEAwvcrJHmxaU27wolEIMsYpYJVbbbDepRWN3OVWuWLg4MC\nIDTIoD0gMTJekIkNJbGSdXspotWHAQp6BA0jV277LvkU\n-----END CERTIFICATE-----\n",
    "privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIG7UtWyFE55mrAn9yUAx5EtrMD5eqAb619NZBjT7y/iVoAoGCCqGSM49\nAwEHoUQDQgAE63g+GfDmTKtuKn/Kv+0Z/gdwo7PBVioKfe3Om9NuQPklmn5fQju8\nKHBdEbCxvlsSsw1HjfLEuPyCUfsdCEVnuQ==\n-----END EC PRIVATE KEY-----\n"
  }
}

# 保存节点sign证书和sign私钥到文件中
$ echo -e "-----BEGIN CERTIFICATE-----\nMIICjTCCAjOgAwIBAgIIJWRNuoz/xNYwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjA4MjQwNDAzNTZaFw0yMzAy\nMjAwNDAzNTZaMIGEMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4G\nA1UEBxMHQmVpSmluZzEfMB0GA1UEChMWd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzES\nMBAGA1UECxMJY29uc2Vuc3VzMRwwGgYDVQQDExNvcmcxLmNvbnNlbnN1czEuY29t\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE63g+GfDmTKtuKn/Kv+0Z/gdwo7PB\nVioKfe3Om9NuQPklmn5fQju8KHBdEbCxvlsSsw1HjfLEuPyCUfsdCEVnuaOBjTCB\nijAOBgNVHQ8BAf8EBAMCBsAwKQYDVR0OBCIEICijhLeuc7ogfjdCOsVtypWmwWIn\n4pCUfuWuhIjFk3jAMCsGA1UdIwQkMCKAIFQUtaMGHEYWLDGcfWBR0SQZjuWdI31b\nW7tCAyrplWpuMCAGA1UdEQQZMBeCE29yZzEuY29uc2Vuc3VzMS5jb22CADAKBggq\nhkjOPQQDAgNIADBFAiEAwvcrJHmxaU27wolEIMsYpYJVbbbDepRWN3OVWuWLg4MC\nIDTIoD0gMTJekIkNJbGSdXspotWHAQp6BA0jV277LvkU\n-----END CERTIFICATE-----\n" > consensus1.sign.crt
$ echo -e "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIG7UtWyFE55mrAn9yUAx5EtrMD5eqAb619NZBjT7y/iVoAoGCCqGSM49\nAwEHoUQDQgAE63g+GfDmTKtuKn/Kv+0Z/gdwo7PBVioKfe3Om9NuQPklmn5fQju8\nKHBdEbCxvlsSsw1HjfLEuPyCUfsdCEVnuQ==\n-----END EC PRIVATE KEY-----\n" > consensus1.sign.key

# 查看节点sign证书
 openssl x509 -in consensus1.sign.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2694363940699227350 (0x25644dba8cffc4d6)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, ST = Beijing, L = Beijing, O = wx-org1.chainmaker.org, OU = ca, CN = ca-wx-org1.chainmaker.org
        Validity
            Not Before: Aug 24 04:03:56 2022 GMT
            Not After : Feb 20 04:03:56 2023 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = wx-org1.chainmaker.org, OU = consensus, CN = org1.consensus1.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:eb:78:3e:19:f0:e6:4c:ab:6e:2a:7f:ca:bf:ed:
                    19:fe:07:70:a3:b3:c1:56:2a:0a:7d:ed:ce:9b:d3:
                    6e:40:f9:25:9a:7e:5f:42:3b:bc:28:70:5d:11:b0:
                    b1:be:5b:12:b3:0d:47:8d:f2:c4:b8:fc:82:51:fb:
                    1d:08:45:67:b9
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Subject Key Identifier:
                28:A3:84:B7:AE:73:BA:20:7E:37:42:3A:C5:6D:CA:95:A6:C1:62:27:E2:90:94:7E:E5:AE:84:88:C5:93:78:C0
            X509v3 Authority Key Identifier:
                keyid:54:14:B5:A3:06:1C:46:16:2C:31:9C:7D:60:51:D1:24:19:8E:E5:9D:23:7D:5B:5B:BB:42:03:2A:E9:95:6A:6E

            X509v3 Subject Alternative Name:
                DNS:org1.consensus1.com, DNS:
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:c2:f7:2b:24:79:b1:69:4d:bb:c2:89:44:20:
         cb:18:a5:82:55:6d:b6:c3:7a:94:56:37:73:95:5a:e5:8b:83:
         83:02:20:34:c8:a0:3d:20:31:32:5e:90:89:0d:25:b1:92:75:
         7b:29:a2:d5:87:01:0a:7a:04:0d:23:57:6e:fb:2e:f9:14

从证书Subject字段内容上我们可以看到,该证书账户属于wx-org1.chainmaker.org组织,角色为consensus

  • 共识节点(consensus node)Tls证书

注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。

 curl --location --request POST 'http://localhost:8096/api/ca/gencert' \
--header 'Content-Type: application/json' \
--data-raw '{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}'  | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1600  100  1394  100   206  26807   3961 --:--:-- --:--:-- --:--:-- 30769
{
  "code": 200,
  "msg": "The request service returned successfully",
  "data": {
    "certSn": 1344498995994953700,
    "issueCertSn": 1696861425238169000,
    "cert": "-----BEGIN CERTIFICATE-----\nMIICqzCCAlKgAwIBAgIIEqietqEmB/IwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjA4MjQwNDEyNTVaFw0yMzAy\nMjAwNDEyNTVaMIGEMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4G\nA1UEBxMHQmVpSmluZzEfMB0GA1UEChMWd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzES\nMBAGA1UECxMJY29uc2Vuc3VzMRwwGgYDVQQDExNvcmcxLmNvbnNlbnN1czEuY29t\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcTZ0srq9NqDaXKbgyBA5YlSrqZQ\nTOchtoMQLOxpjfsCNLanNGpqFDgg2Aa8rEv77/GW8NAl2RQEuRQES//YwaOBrDCB\nqTAOBgNVHQ8BAf8EBAMCA/gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB\nMCkGA1UdDgQiBCCVdXEP1II8b1lCnDbVT6nokYwOShyxV4NbP42nayY1xDArBgNV\nHSMEJDAigCBUFLWjBhxGFiwxnH1gUdEkGY7lnSN9W1u7QgMq6ZVqbjAgBgNVHREE\nGTAXghNvcmcxLmNvbnNlbnN1czEuY29tggAwCgYIKoZIzj0EAwIDRwAwRAIgeGaY\nTebfVu8sCrwZZrJDg0D4n2qTQoZcBy6LWOCSjRACIC5X+H+1NeMW3gPQ6fSSwd/x\n5YDXog2pUocoUuUhiphJ\n-----END CERTIFICATE-----\n",
    "privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEICXRU0a1Jnz9VReDVLA7W5AQUUg6f/22uFuaJgg7aZQtoAoGCCqGSM49\nAwEHoUQDQgAEwcTZ0srq9NqDaXKbgyBA5YlSrqZQTOchtoMQLOxpjfsCNLanNGpq\nFDgg2Aa8rEv77/GW8NAl2RQEuRQES//YwQ==\n-----END EC PRIVATE KEY-----\n"
  }
}

# 将返回的节点tls私钥和节点tls证书保存到文件中:
$ echo -e "-----BEGIN CERTIFICATE-----\nMIICqzCCAlKgAwIBAgIIEqietqEmB/IwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjA4MjQwNDEyNTVaFw0yMzAy\nMjAwNDEyNTVaMIGEMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4G\nA1UEBxMHQmVpSmluZzEfMB0GA1UEChMWd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzES\nMBAGA1UECxMJY29uc2Vuc3VzMRwwGgYDVQQDExNvcmcxLmNvbnNlbnN1czEuY29t\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcTZ0srq9NqDaXKbgyBA5YlSrqZQ\nTOchtoMQLOxpjfsCNLanNGpqFDgg2Aa8rEv77/GW8NAl2RQEuRQES//YwaOBrDCB\nqTAOBgNVHQ8BAf8EBAMCA/gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB\nMCkGA1UdDgQiBCCVdXEP1II8b1lCnDbVT6nokYwOShyxV4NbP42nayY1xDArBgNV\nHSMEJDAigCBUFLWjBhxGFiwxnH1gUdEkGY7lnSN9W1u7QgMq6ZVqbjAgBgNVHREE\nGTAXghNvcmcxLmNvbnNlbnN1czEuY29tggAwCgYIKoZIzj0EAwIDRwAwRAIgeGaY\nTebfVu8sCrwZZrJDg0D4n2qTQoZcBy6LWOCSjRACIC5X+H+1NeMW3gPQ6fSSwd/x\n5YDXog2pUocoUuUhiphJ\n-----END CERTIFICATE-----\n" > consensus1.tls.crt
$ echo -e "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEICXRU0a1Jnz9VReDVLA7W5AQUUg6f/22uFuaJgg7aZQtoAoGCCqGSM49\nAwEHoUQDQgAEwcTZ0srq9NqDaXKbgyBA5YlSrqZQTOchtoMQLOxpjfsCNLanNGpq\nFDgg2Aa8rEv77/GW8NAl2RQEuRQES//YwQ==\n-----END EC PRIVATE KEY-----\n" > consensus1.tls.key

# 查看节点tls证书
$ openssl x509 -in consensus1.tls.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2694363940699227350 (0x25644dba8cffc4d6)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, ST = Beijing, L = Beijing, O = wx-org1.chainmaker.org, OU = ca, CN = ca-wx-org1.chainmaker.org
        Validity
            Not Before: Aug 24 04:03:56 2022 GMT
            Not After : Feb 20 04:03:56 2023 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = wx-org1.chainmaker.org, OU = consensus, CN = org1.consensus1.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:eb:78:3e:19:f0:e6:4c:ab:6e:2a:7f:ca:bf:ed:
                    19:fe:07:70:a3:b3:c1:56:2a:0a:7d:ed:ce:9b:d3:
                    6e:40:f9:25:9a:7e:5f:42:3b:bc:28:70:5d:11:b0:
                    b1:be:5b:12:b3:0d:47:8d:f2:c4:b8:fc:82:51:fb:
                    1d:08:45:67:b9
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Subject Key Identifier:
                28:A3:84:B7:AE:73:BA:20:7E:37:42:3A:C5:6D:CA:95:A6:C1:62:27:E2:90:94:7E:E5:AE:84:88:C5:93:78:C0
            X509v3 Authority Key Identifier:
                keyid:54:14:B5:A3:06:1C:46:16:2C:31:9C:7D:60:51:D1:24:19:8E:E5:9D:23:7D:5B:5B:BB:42:03:2A:E9:95:6A:6E

            X509v3 Subject Alternative Name:
                DNS:org1.consensus1.com, DNS:
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:c2:f7:2b:24:79:b1:69:4d:bb:c2:89:44:20:
         cb:18:a5:82:55:6d:b6:c3:7a:94:56:37:73:95:5a:e5:8b:83:
         83:02:20:34:c8:a0:3d:20:31:32:5e:90:89:0d:25:b1:92:75:
         7b:29:a2:d5:87:01:0a:7a:04:0d:23:57:6e:fb:2e:f9:14

从证书Subject字段内容上我们可以看到,该证书账户属于wx-org1.chainmaker.org组织,角色为consensus

  • 获取共识节点的NodeId

获取共识节点(consensus node)Tls证书的NodeId

 curl --location --request POST 'http://localhost:8096/api/ca/getnodeid' \
--header 'Content-Type: application/json' \
--data-raw '{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "org1.consensus1.com",
    "userType": "consensus",
    "certUsage": "tls"
}' | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   249  100   118  100   131   6555   7277 --:--:-- --:--:-- --:--:-- 13833
{
  "code": 200,
  "msg": "The request service returned successfully",
  "data": "QmNgWQTRn8ijLThpu7sknFqEmGo2jELT32Wuwt3ZsnqKAP" #节点nodeId
}

注:重复以上步骤,依次生成组织org2,org3,org4下共识节点sign私钥/证书、tls私钥/证书以及节点的NodeId

2.3. 基于生成的组织和节点证书创建链

获取的组织CA证书,需要在启动链时,将他们配置到链配置文件bc1.ymltrust_roots里,并将bc1.ymlchainmaker.yml中的nodes.node_id替换为以上获取的节点nodeId。

nodeid: 为chainmaker.yml配置的net.tls.cert_file计算的nid值,通过如下cmc计算

./cmc cert nid –node-cert-path certs/node/consensus1/consensus1.tls.crt

配置文件修改位置如下

  • bc1.yml(链配置文件)

#共识配置
consensus:
  # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
  type: 1
  # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
  nodes:
    - org_id: "wx-org1.chainmaker.org"
      node_id:
        - "QmNgWQTRn8ijLThpu7sknFqEmGo2jELT32Wuwt3ZsnqKAP"
    - org_id: "wx-org2.chainmaker.org"
      node_id:
        - "QmT5hVtAABN69BPAiUjdXddC4ZY9qJf2HgNuRDLSPT8V7R"
    - org_id: "wx-org3.chainmaker.org"
      node_id:
        - "QmeWW4h7XFADkcabEmzEdWzMNeWzHZa494W2pVprv61a4R"
    - org_id: "wx-org4.chainmaker.org"
      node_id:
        - "QmcXaixSAteMZWi4MbqrPijoG8koR6igx3Mrjfe7iHF5iw"

# Trust roots is used to specify the organizations' root certificates in permessionedWithCert mode.
# When in permessionedWithKey mode or public mode, it represents the admin users.
trust_roots:
  - org_id: "wx-org4.chainmaker.org"
    root:
      - "../config/wx-org1.chainmaker.org/certs/ca/wx-org4.chainmaker.org/ca.crt"
  - org_id: "wx-org3.chainmaker.org"
    root:
      - "../config/wx-org1.chainmaker.org/certs/ca/wx-org3.chainmaker.org/ca.crt"
  - org_id: "wx-org2.chainmaker.org"
    root:
      - "../config/wx-org1.chainmaker.org/certs/ca/wx-org2.chainmaker.org/ca.crt"
  - org_id: "wx-org1.chainmaker.org"
    root:
      - "../config/wx-org1.chainmaker.org/certs/ca/wx-org1.chainmaker.org/ca.crt"
  • chainmaker.yml (节点配置文件)

# Network Settings
net:
  # Network provider, can be libp2p or liquid.
  # libp2p: using libp2p components to build the p2p module.
  # liquid: a new p2p module we build from 0 to 1.
  # This item must be consistent across the blockchain network.
  provider: LibP2P

  # The address and port the node listens on.
  # By default, it uses 0.0.0.0 to listen on all network interfaces.
  listen_addr: /ip4/0.0.0.0/tcp/11301

  # The seeds peer list used to join in the network when starting.
  # The connection supervisor will try to dial seed peer whenever the connection is broken.
  # Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
  # Example dns format:"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
  seeds:
    - "/ip4/127.0.0.1/tcp/11301/p2p/QmNgWQTRn8ijLThpu7sknFqEmGo2jELT32Wuwt3ZsnqKAP"
    - "/ip4/127.0.0.1/tcp/11302/p2p/QmT5hVtAABN69BPAiUjdXddC4ZY9qJf2HgNuRDLSPT8V7R"
    - "/ip4/127.0.0.1/tcp/11303/p2p/QmeWW4h7XFADkcabEmzEdWzMNeWzHZa494W2pVprv61a4R"
    - "/ip4/127.0.0.1/tcp/11304/p2p/QmcXaixSAteMZWi4MbqrPijoG8koR6igx3Mrjfe7iHF5iw"

节点部署目录如下图所示:

.
├── bin
│   ├── chainmaker
│   ├── chainmaker.service
│   ├── docker-vm-standalone-start.sh
│   ├── docker-vm-standalone-stop.sh
│   ├── init.sh
│   ├── panic.log
│   ├── restart.sh
│   ├── run.sh
│   ├── start.sh
│   └── stop.sh
├── config
│   └── wx-org1.chainmaker.org
├── lib
│   ├── libwasmer.dylib
│   └── wxdec
└── log

在启动节点之前,需要将以上部署过程中用到的各个组织的根证书、共识节点证书和私钥、管理员证书和私钥替换为以上用CA生成的私钥/证书。 同时各个节点部署目录下的bc.ymlchainmaker.yml配置文件按照以上说明进行修改。

配置更新说明

# 以组织org1为例说明
config
└── wx-org1.chainmaker.org
    ├── certs
       ├── ca
          ├── wx-org1.chainmaker.org #组织1根证书
          ├── wx-org2.chainmaker.org #组织2根证书
          ├── wx-org3.chainmaker.org #组织3根证书
          └── wx-org4.chainmaker.org #组织4根证书
       ├── node
          ├── common1 # optional
          └── consensus1 # 组织1签发的共识节点sign证书、tls证书以及nodeId
       └── user
           ├── admin1 # 组织1签发的管理员sign证书、tls证书(包含私钥)
           ├── client1 #optional
           └── light1 #optional
    ├── chainconfig
       └── bc1.yml # 更新后的链配置文件,参考上节说明
    ├── chainmaker.yml #更新后的节点配置文件,参考上节说明
    └── log.yml

启动节点

节点启动方式参考:

请自行将上述两文章内的证书文件替换成上述流程新生成的证书文件,然后按步骤执行,直至链启动成功。

以下简单介绍通过命令行体验链的替换证书的操作步骤:

# 1、准备证书和配置文件
./prepare.sh 4 1
# 2、编译,打包可执行文件
./build_release.sh
# 3、解压缩打包的文件
cd ../build/release
tar -xzf chainmaker-v2.3.4-wx-org1.chainmaker.org-20230919104740-x86_64.tar.gz
# 4、替换各个节点的证书和节点ID
# 4.1、替换chainmaker-v2.3.4-wx-org1.chainmaker.org/config/wx-org1.chainmaker.org/certs下的所有证书和nodeid
# 4.2、替换chainmaker.yml,bc.yml的nodeId
# 5、启动
./cluster_quick_start.sh normal

按照以上方式启动org1、org2、org3和org4下的共识节点,等到所有节点建立连接,表明区块链网络部署成功,并可以对外提供区块链服务。
可通过遗下命令查看节点日志,若看到all necessary peers connected则表示节点已经准备就绪。

[INFO]  [Net]   libp2pnet/libp2p_connection_supervisor.go:116   [ConnSupervisor] all necessary peers connected.

2.4. 部署/调用智能合约

链部署后,在进行部署/调用合约测试,以验证链是否正常运行,首先我们需要先生成链的用户证书。

2.4.1. 生成admin测试账户

客户端账户包含client和admin两种类型,admin一般具有更高的链上权限,我们这里以admin为例进行测试

  • 用户管理员(admin)Sign证书

# 生成私钥和证书
 curl --location --request POST 'http://localhost:8096/api/ca/gencert' \
--header 'Content-Type: application/json' \
--data-raw '{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "sign",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}' | jq
{
  "code": 200,
  "msg": "The request service returned successfully",
  "data": {
    "certSn": 1856171032692815600,
    "issueCertSn": 1696861425238169000,
    "cert": "-----BEGIN CERTIFICATE-----\nMIICZTCCAgygAwIBAgIIGcJxuEYGd3gwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjA4MjQwNTQ1MjNaFw0yMzAy\nMjAwNTQ1MjNaMHMxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMR8wHQYDVQQKExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQ4w\nDAYDVQQLEwVhZG1pbjEPMA0GA1UEAxMGYWRtaW4xMFkwEwYHKoZIzj0CAQYIKoZI\nzj0DAQcDQgAEr2NLaz88XzSwFHLwbFgwGo80CjjRwVeRvstB6uzsT6wd0RPy7R5+\nSUP4sEBnEgsLCGFmNZ0wwdTkesfZLXLFdKN5MHcwDgYDVR0PAQH/BAQDAgbAMCkG\nA1UdDgQiBCBMvi1OVMM1nZHL1OCFjsg8cgAjiYT7TRHt062OozHarTArBgNVHSME\nJDAigCBUFLWjBhxGFiwxnH1gUdEkGY7lnSN9W1u7QgMq6ZVqbjANBgNVHREEBjAE\nggCCADAKBggqhkjOPQQDAgNHADBEAiB3IaMiuGeLQCDVGpSFJUjXcdEJ7MjizZj/\nOu08VrWniQIgeH5jyUMG3Izu7dh064iSRidzgR7sLt48CWtXpCuI4nE=\n-----END CERTIFICATE-----\n",
    "privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIBQy4VFzQ+TH3i23VzuWLNPzhS0k3F2IMC/gT2suJfXDoAoGCCqGSM49\nAwEHoUQDQgAEr2NLaz88XzSwFHLwbFgwGo80CjjRwVeRvstB6uzsT6wd0RPy7R5+\nSUP4sEBnEgsLCGFmNZ0wwdTkesfZLXLFdA==\n-----END EC PRIVATE KEY-----\n"
  }
}

# 保存管理员sign证书和私钥
$ echo -e "-----BEGIN CERTIFICATE-----\nMIICZTCCAgygAwIBAgIIGcJxuEYGd3gwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjA4MjQwNTQ1MjNaFw0yMzAy\nMjAwNTQ1MjNaMHMxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMR8wHQYDVQQKExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQ4w\nDAYDVQQLEwVhZG1pbjEPMA0GA1UEAxMGYWRtaW4xMFkwEwYHKoZIzj0CAQYIKoZI\nzj0DAQcDQgAEr2NLaz88XzSwFHLwbFgwGo80CjjRwVeRvstB6uzsT6wd0RPy7R5+\nSUP4sEBnEgsLCGFmNZ0wwdTkesfZLXLFdKN5MHcwDgYDVR0PAQH/BAQDAgbAMCkG\nA1UdDgQiBCBMvi1OVMM1nZHL1OCFjsg8cgAjiYT7TRHt062OozHarTArBgNVHSME\nJDAigCBUFLWjBhxGFiwxnH1gUdEkGY7lnSN9W1u7QgMq6ZVqbjANBgNVHREEBjAE\nggCCADAKBggqhkjOPQQDAgNHADBEAiB3IaMiuGeLQCDVGpSFJUjXcdEJ7MjizZj/\nOu08VrWniQIgeH5jyUMG3Izu7dh064iSRidzgR7sLt48CWtXpCuI4nE=\n-----END CERTIFICATE-----\n" > admin1.sign.crt
$ echo -e "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIBQy4VFzQ+TH3i23VzuWLNPzhS0k3F2IMC/gT2suJfXDoAoGCCqGSM49\nAwEHoUQDQgAEr2NLaz88XzSwFHLwbFgwGo80CjjRwVeRvstB6uzsT6wd0RPy7R5+\nSUP4sEBnEgsLCGFmNZ0wwdTkesfZLXLFdA==\n-----END EC PRIVATE KEY-----\n" > admin1.sign.key

# 查看管理员sign证书
$ openssl x509 -in admin1.sign.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1856171032692815736 (0x19c271b846067778)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, ST = Beijing, L = Beijing, O = wx-org1.chainmaker.org, OU = ca, CN = ca-wx-org1.chainmaker.org
        Validity
            Not Before: Aug 24 05:45:23 2022 GMT
            Not After : Feb 20 05:45:23 2023 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = wx-org1.chainmaker.org, OU = admin, CN = admin1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:af:63:4b:6b:3f:3c:5f:34:b0:14:72:f0:6c:58:
                    30:1a:8f:34:0a:38:d1:c1:57:91:be:cb:41:ea:ec:
                    ec:4f:ac:1d:d1:13:f2:ed:1e:7e:49:43:f8:b0:40:
                    67:12:0b:0b:08:61:66:35:9d:30:c1:d4:e4:7a:c7:
                    d9:2d:72:c5:74
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Subject Key Identifier:
                4C:BE:2D:4E:54:C3:35:9D:91:CB:D4:E0:85:8E:C8:3C:72:00:23:89:84:FB:4D:11:ED:D3:AD:8E:A3:31:DA:AD
            X509v3 Authority Key Identifier:
                keyid:54:14:B5:A3:06:1C:46:16:2C:31:9C:7D:60:51:D1:24:19:8E:E5:9D:23:7D:5B:5B:BB:42:03:2A:E9:95:6A:6E

            X509v3 Subject Alternative Name:
                DNS:, DNS:
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:77:21:a3:22:b8:67:8b:40:20:d5:1a:94:85:25:
         48:d7:71:d1:09:ec:c8:e2:cd:98:ff:3a:ed:3c:56:b5:a7:89:
         02:20:78:7e:63:c9:43:06:dc:8c:ee:ed:d8:74:eb:88:92:46:
         27:73:81:1e:ec:2e:de:3c:09:6b:57:a4:2b:88:e2:71

从证书Subject字段内容上我们可以看到,该管理员证书账户属于wx-org1.chainmaker.org组织,角色为admin

  • 用户管理员(admin)Tls证书

# 生成管理员tls证书
curl --location --request POST 'http://localhost:8096/api/ca/gencert' \
--header 'Content-Type: application/json' \
--data-raw '{
    "orgId": "wx-org1.chainmaker.org",
    "userId": "admin1",
    "userType": "admin",
    "certUsage": "tls",
    "country": "CN",
    "locality": "BeiJing",
    "province": "BeiJing"
}' | jq

{
  "code": 200,
  "msg": "The request service returned successfully",
  "data": {
    "certSn": 3793576108139400000,
    "issueCertSn": 1696861425238169000,
    "cert": "-----BEGIN CERTIFICATE-----\nMIICfDCCAiOgAwIBAgIINKV9XwIOzHEwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjA4MjQwNTUzMTRaFw0yMzAy\nMjAwNTUzMTRaMHMxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMR8wHQYDVQQKExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQ4w\nDAYDVQQLEwVhZG1pbjEPMA0GA1UEAxMGYWRtaW4xMFkwEwYHKoZIzj0CAQYIKoZI\nzj0DAQcDQgAE4lJgyz1A/GledacE3HUCwT2MrWHqDzHHpy81RTY22Ap6uj/ahO1h\n1+o0GSGS8xdF0ygw07BhtBOe9dkuYvptQ6OBjzCBjDAOBgNVHQ8BAf8EBAMCA/gw\nEwYDVR0lBAwwCgYIKwYBBQUHAwIwKQYDVR0OBCIEIJ9OT40+LKdBATiWmfeIXmXO\n2RkxhbG1+Ai5vt+l5LxsMCsGA1UdIwQkMCKAIFQUtaMGHEYWLDGcfWBR0SQZjuWd\nI31bW7tCAyrplWpuMA0GA1UdEQQGMASCAIIAMAoGCCqGSM49BAMCA0cAMEQCIDbU\nvsm/C2OPw5HbhZCBzZJNbJ5x3QW+I8kOKNZd4X7jAiAq12qTcqZcNSBKsqM9HRTj\nqt/2rzh38uEgu/2oUvpIUw==\n-----END CERTIFICATE-----\n",
    "privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIIA9k6+tvHrCa0Ee3P+IlGO0AQFW3GR6VSYtD33lK+PDoAoGCCqGSM49\nAwEHoUQDQgAE4lJgyz1A/GledacE3HUCwT2MrWHqDzHHpy81RTY22Ap6uj/ahO1h\n1+o0GSGS8xdF0ygw07BhtBOe9dkuYvptQw==\n-----END EC PRIVATE KEY-----\n"
  }
}

# 保存管理员tls证书和私钥
$ echo -e "-----BEGIN CERTIFICATE-----\nMIICfDCCAiOgAwIBAgIINKV9XwIOzHEwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjA4MjQwNTUzMTRaFw0yMzAy\nMjAwNTUzMTRaMHMxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMR8wHQYDVQQKExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQ4w\nDAYDVQQLEwVhZG1pbjEPMA0GA1UEAxMGYWRtaW4xMFkwEwYHKoZIzj0CAQYIKoZI\nzj0DAQcDQgAE4lJgyz1A/GledacE3HUCwT2MrWHqDzHHpy81RTY22Ap6uj/ahO1h\n1+o0GSGS8xdF0ygw07BhtBOe9dkuYvptQ6OBjzCBjDAOBgNVHQ8BAf8EBAMCA/gw\nEwYDVR0lBAwwCgYIKwYBBQUHAwIwKQYDVR0OBCIEIJ9OT40+LKdBATiWmfeIXmXO\n2RkxhbG1+Ai5vt+l5LxsMCsGA1UdIwQkMCKAIFQUtaMGHEYWLDGcfWBR0SQZjuWd\nI31bW7tCAyrplWpuMA0GA1UdEQQGMASCAIIAMAoGCCqGSM49BAMCA0cAMEQCIDbU\nvsm/C2OPw5HbhZCBzZJNbJ5x3QW+I8kOKNZd4X7jAiAq12qTcqZcNSBKsqM9HRTj\nqt/2rzh38uEgu/2oUvpIUw==\n-----END CERTIFICATE-----\n" > admin1.tls.crt
$ echo -e "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIIA9k6+tvHrCa0Ee3P+IlGO0AQFW3GR6VSYtD33lK+PDoAoGCCqGSM49\nAwEHoUQDQgAE4lJgyz1A/GledacE3HUCwT2MrWHqDzHHpy81RTY22Ap6uj/ahO1h\n1+o0GSGS8xdF0ygw07BhtBOe9dkuYvptQw==\n-----END EC PRIVATE KEY-----\n" > admin1.tls.key

# 查看管理员tls证书
$ openssl x509 -in admin1.tls.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3793576108139400305 (0x34a57d5f020ecc71)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, ST = Beijing, L = Beijing, O = wx-org1.chainmaker.org, OU = ca, CN = ca-wx-org1.chainmaker.org
        Validity
            Not Before: Aug 24 05:53:14 2022 GMT
            Not After : Feb 20 05:53:14 2023 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = wx-org1.chainmaker.org, OU = admin, CN = admin1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e2:52:60:cb:3d:40:fc:69:5e:75:a7:04:dc:75:
                    02:c1:3d:8c:ad:61:ea:0f:31:c7:a7:2f:35:45:36:
                    36:d8:0a:7a:ba:3f:da:84:ed:61:d7:ea:34:19:21:
                    92:f3:17:45:d3:28:30:d3:b0:61:b4:13:9e:f5:d9:
                    2e:62:fa:6d:43
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                9F:4E:4F:8D:3E:2C:A7:41:01:38:96:99:F7:88:5E:65:CE:D9:19:31:85:B1:B5:F8:08:B9:BE:DF:A5:E4:BC:6C
            X509v3 Authority Key Identifier:
                keyid:54:14:B5:A3:06:1C:46:16:2C:31:9C:7D:60:51:D1:24:19:8E:E5:9D:23:7D:5B:5B:BB:42:03:2A:E9:95:6A:6E

            X509v3 Subject Alternative Name:
                DNS:, DNS:
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:36:d4:be:c9:bf:0b:63:8f:c3:91:db:85:90:81:
         cd:92:4d:6c:9e:71:dd:05:be:23:c9:0e:28:d6:5d:e1:7e:e3:
         02:20:2a:d7:6a:93:72:a6:5c:35:20:4a:b2:a3:3d:1d:14:e3:
         aa:df:f6:af:38:77:f2:e1:20:bb:fd:a8:52:fa:48:53

从证书Subject字段内容上我们可以看到,该管理员证书账户属于wx-org1.chainmaker.org组织

2.4.2. 使用管理员账户部署/调用合约

admin的用户证书生成后,可进行部署/调用合约测试,以验证链是否正常运行。部署合约的使用教程可详见:部署示例合约

注意使用部署合约前,需要将所需的相关证书替换成,上文所生成的证书,以cmc工具为例,配置文件sdk_config.yaml的如下配置需要修改:

  • 客户端tls私钥和证书:user_key_file_path、user_crt_file_path

  • 客户端sign私钥和证书:user_sign_key_file_path、user_sign_crt_file_path

  • 可信根目录:trust_root_paths (注:该目录下需要包含该管理员账户组织ca根证书)

  • 节点tls证书CN或SAN:tls_host_name(该字段用于tls握手)

使用SDK工具调用的话类似,也需要修改相应的账户文件。