# CA璇佷功鏈嶅姟
## 璇佷功绠€浠�
ChainMaker鍖哄潡閾剧綉缁滀腑浣跨敤鐨勮瘉涔︾被鍨嬫湁涓夊ぇ绫� `CA璇佷功` `鑺傜偣璇佷功` `鐢ㄦ埛璇佷功`銆�<br>
`CA璇佷功`: 鍙互鏄牴CA璇佷功銆佷腑闂碈A璇佷功銆佽嚜绛綜A璇佷功锛屽叾浣欎袱绫昏瘉涔﹂兘鏄娇鐢╜CA璇佷功`绛惧悕鐢熸垚銆�<br>
`鑺傜偣璇佷功`: 缁嗗垎涓哄叡璇嗚妭鐐广€佸悓姝ヨ妭鐐广€佽交鑺傜偣浣跨敤鐨勮瘉涔︺€傚悓姝ヨ妭鐐瑰拰杞昏妭鐐硅瘉涔︾被鍨嬬浉鍚屻€�<br>
`鐢ㄦ埛璇佷功`: 缁嗗垎涓虹鐞嗗憳鐢ㄦ埛璇佷功銆佹櫘閫氱敤鎴疯瘉涔︺€傚垎鍒搴旂鐞嗗憳鏉冮檺鍜屾櫘閫氱敤鎴锋潈闄愩€�<br>
涓嬮潰璇︾粏浠嬬粛ChainMaker缃戠粶涓悇绫昏瘉涔︺€�
## 璇佷功
- [CA璇佷功](#rootCert)
- [鑺傜偣璇佷功绫籡(#nodeCert)
- [鐢ㄦ埛璇佷功绫籡(#userCert)
<span id="rootCert"></span>
### CA璇佷功
涓€鑸瘡涓粍缁囦竴涓猔CA璇佷功`銆�<br>
`CA璇佷功`鍙€氳繃 [chainmaker-cryptogen](../dev/璇佷功鐢熸垚宸ュ叿.md) 鎴栬€呰嚜寤虹殑 [CA璇佷功鏈嶅姟](./CA璇佷功鏈嶅姟.md) 鐢熸垚锛屼篃鍙€氳繃鍚戣瘉涔﹂鍙戞満鏋勭敵璇疯幏寰椼€�<br>
鏈粍缁囩殑鎵€鏈塦鑺傜偣璇佷功`浠ュ強`鐢ㄦ埛璇佷功`閮芥槸鐢辨`CA璇佷功`绛惧彂鐢熸垚銆�<br>
<span id="nodeCert"></span>
### 鑺傜偣璇佷功绫�
姣忎釜缁勭粐鑷冲皯鏈変竴涓叡璇嗚妭鐐癸紝涔熷彲浠ラ儴缃插涓€�<br>
姣忎釜缁勭粐鍙互鏈夎嫢骞插悓姝ュ拰杞昏妭鐐癸紝涔熷彲浠ヤ笉閮ㄧ讲銆�<br>
涓嶇浠€涔堢被鍨嬬殑鑺傜偣锛屾瘡涓妭鐐归兘浼氭湁涓€涓猔鑺傜偣TLS璇佷功`鍜屼竴涓猔鑺傜偣SIGN璇佷功`锛屽叾璇佷功瀛楁璇﹁[鑺傜偣璇佷功銆佺敤鎴疯瘉涔﹀瓧娈礭(#certFields)<br><br>
- 鍏辫瘑鑺傜偣
- 鑺傜偣TLS璇佷功
鐢ㄤ簬璺熷鎴风寤虹珛tls閾炬帴锛屼娇鐢╜CA璇佷功`绛惧彂鑾峰緱锛岃瘉涔﹀瓧娈典俊鎭涓嬬ず渚嬶細<br>
```shell
O=wx-org1.chainmaker.org
OU=consensus // 鍏辫瘑鑺傜偣璇佷功蹇呴』涓篶onsensus
CN=consensus1.wx-org1.chainmaker.org
sans=localhost // 鐢ㄤ簬tls鐨勮瘉涔ans瀛楁蹇呭~
```
- 鑺傜偣SIGN璇佷功
鐢ㄤ簬绛惧悕楠岀绛夌瓑锛屼娇鐢╜CA璇佷功`绛惧彂鑾峰緱锛岃瘉涔﹀瓧娈典俊鎭涓嬬ず渚嬶細<br>
```shell
O=wx-org1.chainmaker.org
OU=consensus // 鍏辫瘑鑺傜偣璇佷功蹇呴』涓篶onsensus
CN=consensus1.wx-org1.chainmaker.org
```
- 鍚屾鑺傜偣銆佽交鑺傜偣
鍚屾鑺傜偣涓庤交鑺傜偣鐨勮瘉涔﹁鏍煎畬鍏ㄤ竴鑷达紝浠ヤ笅绀轰緥閮戒簰鐩搁€傜敤锛屼笉鍐嶉噸澶嶄妇渚嬨€�
- 鑺傜偣TLS璇佷功
鐢ㄤ簬璺熷鎴风寤虹珛tls閾炬帴锛屼娇鐢╜CA璇佷功`绛惧彂鑾峰緱锛岃瘉涔﹀瓧娈典俊鎭涓嬬ず渚嬶細<br>
```shell
O=wx-org1.chainmaker.org
OU=common // 鍚屾鑺傜偣/杞昏妭鐐硅瘉涔﹀繀椤讳负common
CN=consensus1.wx-org1.chainmaker.org
sans=localhost // 鐢ㄤ簬tls鐨勮瘉涔ans瀛楁蹇呭~
```
- 鑺傜偣SIGN璇佷功
鐢ㄤ簬绛惧悕楠岀绛夌瓑锛屼娇鐢╜CA璇佷功`绛惧彂鑾峰緱锛岃瘉涔﹀瓧娈典俊鎭涓嬬ず渚嬶細<br>
```shell
O=wx-org1.chainmaker.org
OU=common // 鍚屾鑺傜偣/杞昏妭鐐硅瘉涔﹀繀椤讳负common
CN=consensus1.wx-org1.chainmaker.org
```
<span id="userCert"></span>
### 鐢ㄦ埛璇佷功绫�
鐢ㄦ埛璇佷功绫诲垎涓篳admin璇佷功绫籤鍒嗛厤缁欑鐞嗗憳鐢ㄦ埛浣跨敤鍜宍client璇佷功绫籤鍒嗛厤缁欐櫘閫氱敤鎴蜂娇鐢ㄣ€�<br>
姣忎釜缁勭粐鑷冲皯鏈変竴涓鐞嗗憳鐢ㄦ埛鍜岃嫢骞蹭釜鏅€氱敤鎴�<br>
涓嶇浠€涔堢被鍨嬬殑鐢ㄦ埛锛屾瘡涓敤鎴烽兘浼氭湁涓€涓猔鐢ㄦ埛TLS璇佷功`鍜屼竴涓猔鐢ㄦ埛SIGN璇佷功`锛屽叾璇佷功瀛楁璇﹁[鑺傜偣璇佷功銆佺敤鎴疯瘉涔﹀瓧娈礭(#certFields)<br><br>
- admin璇佷功绫�
- 鐢ㄦ埛TLS璇佷功
鐢ㄤ簬璺熻妭鐐瑰缓绔媡ls閾炬帴锛屼娇鐢╜CA璇佷功`绛惧彂鑾峰緱锛岃瘉涔﹀瓧娈典俊鎭涓嬬ず渚嬶細<br>
```shell
O=wx-org1.chainmaker.org
OU=admin // 绠$悊鍛樼敤鎴峰繀椤讳负admin
CN=admin1.wx-org1.chainmaker.org
```
- 鐢ㄦ埛SIGN璇佷功
鐢ㄤ簬绛惧悕楠岀绛夌瓑锛屼娇鐢╜CA璇佷功`绛惧彂鑾峰緱锛岃瘉涔﹀瓧娈典俊鎭涓嬬ず渚嬶細<br>
```shell
O=wx-org1.chainmaker.org
OU=admin // 绠$悊鍛樼敤鎴峰繀椤讳负admin
CN=admin1.wx-org1.chainmaker.org
```
- client璇佷功绫�
- 鐢ㄦ埛TLS璇佷功
鐢ㄤ簬璺熻妭鐐瑰缓绔媡ls閾炬帴锛屼娇鐢╜CA璇佷功`绛惧彂鑾峰緱锛岃瘉涔﹀瓧娈典俊鎭涓嬬ず渚嬶細<br>
```shell
O=wx-org1.chainmaker.org
OU=client // 鏅€氱敤鎴峰繀椤讳负client
CN=client1.wx-org1.chainmaker.org
```
- 鐢ㄦ埛SIGN璇佷功
鐢ㄤ簬绛惧悕楠岀绛夌瓑锛屼娇鐢╜CA璇佷功`绛惧彂鑾峰緱锛岃瘉涔﹀瓧娈典俊鎭涓嬬ず渚嬶細<br>
```shell
O=wx-org1.chainmaker.org
OU=client // 鏅€氱敤鎴峰繀椤讳负client
CN=client1.wx-org1.chainmaker.org
```
## 閾句笂鍙樻洿
### 缁勭粐CA璇佷功绫�
- [浣跨敤cmc鏂板缁勭粐CA璇佷功](../dev/鍛戒护琛屽伐鍏�.html#chainConfig.addOrgRootCA)
- [浣跨敤cmc鍒犻櫎缁勭粐CA璇佷功](../dev/鍛戒护琛屽伐鍏�.html#chainConfig.delOrgRootCA)
- [浣跨敤cmc鏇存柊缁勭粐CA璇佷功](../dev/鍛戒护琛屽伐鍏�.html#chainConfig.updateOrgRootCA)
## 闄勫綍
<span id="certFields"></span>
### 鑺傜偣璇佷功銆佺敤鎴疯瘉涔﹀瓧娈�
鑺傜偣璇佷功鍜岀敤鎴疯瘉涔﹀瓧娈甸€氱敤
| 瀛楁 | 鍚箟 | 瑙勮寖 |
| :----: | :----: | :----: |
| C | country 鍥藉 | 濡傦細CN |
| L | locality 浣嶇疆(鍩庡競) | 濡傦細Guangzhou |
| ST | state 鐪佷唤(宸�) | 濡傦細Guangdong |
| O | organization 缁勭粐 | 瀵瑰簲chainmaker鐨勭粍缁嘔D锛坥rgId锛夊锛歸x-org1.chainmaker.org |
| OU | organizationalUnit 缁勭粐鍗曚綅 | 瀵瑰簲chainmaker閲岀殑鐢ㄦ埛瑙掕壊锛歝onsensus/common/admin/client |
| CN | commonName 甯哥敤鍚� | chainmaker閲岄€氬父浠ョ敤鎴稩D+缁勭粐ID褰㈠紡锛屽锛歝a.wx-testorg.chainmaker.org銆乤dmin1.wx-org1.chainmaker.org銆乧onsensus1.wx-org1.chainmaker.org銆乧lient1.wx-org1.chainmaker.org |
| expireYear | 璇佷功鏈夋晥鏈� | 浠ュ勾涓哄崟浣� 濡傦細2 |
| sans | 鑺傜偣璇佷功鐨勫湴鍧€淇℃伅 | 鍙负鑺傜偣鍦板潃IP锛屼篃鍙互鏄妭鐐瑰煙鍚� 濡傦細consensus1.wx-org1.chainmaker.org |
<br><br>
## CA璇佷功鏈嶅姟姒傝堪
闀垮畨閾捐瘉涔︾鍙戞湇鍔★紝鍙敤浜庡绉嶅満鏅儴缃诧紝鎻愪緵璇佷功绛惧彂锛岀鐞嗭紝鏇存柊锛屽悐閿€绛夋湇鍔°€�
CA璇佷功鏈嶅姟鐨勪娇鐢ㄦ墜鍐岄摼鎺ワ細
[CA璇佷功鏈嶅姟鐨勪娇鐢ㄦ墜鍐宂(../operation/CA璇佷功鏈嶅姟.md)
## 琛ㄨ璁�
### cert_content
璇佷功鐨勫唴瀹硅〃锛屽瓨鍌ㄥ啓鍒癤509璇佷功閲岀殑璇佷功璇︽儏銆�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :-----------------: | :----------: | :--------------------: | :----------------------: |
| serial_number | bigint | SN鐮� | 璇佷功瀛楁锛岃瘉涔︾殑鍞竴鏍囪瘑 |
| content | longtext | 璇佷功鐨勫唴瀹� | pem缂栫爜 |
| signature | longtext | 璇佷功鐨勭鍚� | hex缂栫爜 |
| country | varchar(255) | 鍥藉 | X509璇佷功瀛楁 |
| locality | varchar(255) | 鍦板尯 | X509璇佷功瀛楁 |
| province | varchar(255) | 鐪佷唤 | X509璇佷功瀛楁 |
| organization | varchar(255) | 缁勭粐 | X509璇佷功瀛楁 |
| organizational_unit | varchar(255) | 鍗曚綅 | X509璇佷功瀛楁 |
| common_name | varchar(255) | 甯哥敤鍚� | X509璇佷功瀛楁 |
| csr_content | longtext | 璇佷功鐨刢sr | pem缂栫爜 |
| is_ca | bool | 璇佷功鏄惁鍏锋湁绛惧彂鑳藉姏 | X509璇佷功瀛楁 |
| ski | varchar(255) | 璇佷功瀵嗛挜鐨剆ki | X509璇佷功瀛楁 |
| aki | varchar(255) | 璇佷功瀵嗛挜鐨刟ki | X509璇佷功瀛楁 |
| key_usage | int | 璇佷功瀵嗛挜鐨勪娇鐢ㄦ柟寮� | X509璇佷功瀛楁 |
| ext_key_usage | varchar(255) | 璇佷功瀵嗛挜鐨勬墿灞曚娇鐢ㄦ柟寮� | X509璇佷功瀛楁 |
| issue_date | bigint | 绛惧彂鏃ユ湡 | unix鏃堕棿鎴� |
| expiration_date | bigint | 鍒版湡鏃堕棿 | unix鏃堕棿鎴� |
### cert_info
璇佷功鐨勭浉鍏充俊鎭〃锛屽瓨鍌ㄤ笌璇佷功鐩稿叧鐨勶紝鍖呮嫭瀵嗛挜锛岀敤鎴蜂俊鎭瓑銆�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :------------: | :----------: | :----------: | :--------------------: |
| serial_number | bigint | 璇佷功sn | 璇佷功鐨勫敮涓€鏍囪瘑sn |
| private_key_id | varchar(255) | 绉侀挜鏍囪瘑 | 涓€鑸负绉侀挜鐨剆ki |
| issuer_sn | bigint | 绛惧彂鑰卻n | 璇ヨ瘉涔︾殑棰佸彂鑰呯殑sn |
| p2p_node_id | varchar(255) | p2p缃戠粶Id | 闀垮畨閾綪2P缃戠粶鑺傜偣ID |
| org_id | varchar(255) | 缁勭粐鍞竴鏍囪瘑 | 闀垮畨閾剧粍缁嘔D |
| user_type | int | 璇佷功鐢ㄦ埛绫诲瀷 | 闀垮畨閾捐瘉涔﹁鑹� |
| cert_usage | int | 璇佷功鐢ㄩ€� | 闀垮畨閾捐瘉涔︿娇鐢ㄦ柟寮� |
| user_id | varchar(255) | 鐢ㄦ埛鍞竴鏍囪瘑 | 闀垮畨閾剧敤鎴凤紙鑺傜偣锛夋爣璇� |
* user_type: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
* cert_usage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc
### keypair
鍏閽ュ琛紝瀛樺偍瀵嗛挜鐨勫叿浣撲俊鎭€�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :---------: | :----------: | :--------: | :--------------------: |
| ski | varchar(255) | 瀵嗛挜鐨剆ki | 瀵嗛挜鍦ㄨ瘉涔﹂噷鐨勫敮涓€鏍囪瘑 |
| private_key | longtext | 绉侀挜鐨勫唴瀹� | pem缂栫爜 |
| public_key | longtext | 鍏挜鐨勫唴瀹� | pem缂栫爜 |
| key_type | int | 鍏挜绠楁硶 | |
| hash_type | int | 鍝堝笇绠楁硶 | |
### revoked_cert
鎾ら攢鐨勮瘉涔﹁〃锛屽瓨鍌ㄦ挙閿€淇℃伅銆�
| 瀛楁 | 绫诲瀷 | 鍚箟 |
| :----------------: | :----------: | :----------: |
| revoked_cert_sn | bigint | 鎾ら攢璇佷功鐨凷N |
| reason | longtext | 鎾ら攢鍘熷洜 |
| revoked_start_time | bigint | 鎾ら攢寮€濮嬫椂闂� |
| revoked_end_time | bigint | 鎾ら攢缁撴潫鏃堕棿 |
| revoke_by | bigint | 鎾ら攢鑰� |
| org_id | varchar(255) | 鎵€灞炵粍缁� |
### app_info
璁块棶鎺у埗搴旂敤淇℃伅琛紝瀛樺偍閰嶇疆鐨勫簲鐢╥d鍜宬ey杩樻湁瑙掕壊銆�
| 瀛楁 | 绫诲瀷 | 鍚箟 |
| :------: | :----------: | :------: |
| app_id | varchar(255) | 搴旂敤id |
| app_key | varchar(255) | 搴旂敤鍙d护 |
| app_role | int | 搴旂敤瑙掕壊 |
app_role : 1.admin , 2.user
* admin : 鎵€鏈夋潈闄�
* user 锛氫笉鑳借繘琛屽悐閿€銆佸欢鏈熻瘉涔︺€傚彧鑳界敵璇凤紝鏌ヨ璇佷功銆�
## 璇佷功璇﹁В
### 璇佷功浣跨敤鏂瑰紡
* sign 锛氱鍚嶈瘉涔︺€�
* tls 锛歵ls 璇佷功
* tls-enc 锛歵ls鍔犲瘑璇佷功锛堢鍚堝浗瀵唗ls鍙岃瘉涔︽爣鍑嗭級
* tls-sign 锛歵ls绛惧悕璇佷功锛堢鍚堝浗瀵唗ls鍙岃瘉涔︽爣鍑嗭級
### 璇佷功鍒嗙被
* **CA璇佷功**
CA璇佷功鏄寚鍏锋湁绛惧彂鑳藉姏鐨勮瘉涔︼紝鍗充娇鐢ㄨ璇佷功鍙互缁х画绛惧彂涓嬬骇璇佷功銆傞€氬父涓簉oot鎴栬€卌a涓ょ璇佷功瑙掕壊銆�
* **鐢ㄦ埛璇佷功**
鐢ㄦ埛璇佷功鏄寚涓嶅叿澶囩鍙戣兘鍔涚殑銆佺粰鐢ㄦ埛浣跨敤鐨則ls鎴杝ign璇佷功銆傞€氬父涓篴dmin鎴朿lient涓ょ瑙掕壊銆�
* **鑺傜偣璇佷功**
鑺傜偣璇佷功鏄寚涓嶅叿澶囩鍙戣兘鍔涚殑銆佺粰鑺傜偣浣跨敤鐨則ls鎴杝ign璇佷功銆傞€氬父涓篶onsensus鎴朿ommon涓ょ瑙掕壊銆�
### 璇佷功瑙掕壊鍒嗙被
* **root**
root涓烘牴璇佷功銆傚嵆鍒濆璇佷功锛屾槸鐢辫嚜绛惧舰鎴愮殑绗竴涓瘉涔︺€�
* **ca**
ca涓轰腑闂碈A璇佷功銆傝绫昏瘉涔︽槸鐢辨牴璇佷功鐩存帴鎴栭棿鎺ョ鍙戯紝鏈韩涔熷叿鏈夌户缁悜涓嬬鍙戠殑鑳藉姏銆傚湪ChainMaker涓紝閫氬父琛ㄧ幇涓虹粍缁囪瘉涔︺€�
* **admin**
admin涓虹敤鎴疯瘉涔︾殑涓€绉嶃€傞€氬父绉颁负绠$悊鍛樿瘉涔︺€傝璇佷功鎷ユ湁鍙備笌鎶曠エ绛夋洿澶氱殑鍙備笌鏉冮檺銆傦紙鎯宠浜嗚В鍏蜂綋鏉冮檺璁捐璇︽儏锛岃鏌ョ湅闀垮畨閾惧紑婧愭枃妗o紝鐢ㄦ埛鎵嬪唽鐨勬潈闄愮鐞嗘ā鍧椼€傦級
* **client**
client涓虹敤鎴疯瘉涔︾殑涓€绉嶃€傞€氬父绉颁负鏅€氱敤鎴疯瘉涔︺€傝璇佷功鎷ユ湁鍙戣捣浜ゆ槗锛屾煡璇俊鎭瓑鍩烘湰鐨勯摼涓婃搷浣滄潈闄愩€備絾缂轰箯鍙備笌鎶曠エ绛変竴浜涢噸澶у喅绛栨潈闄愩€傦紙鎯宠浜嗚В鍏蜂綋鏉冮檺璁捐璇︽儏锛岃鏌ョ湅闀垮畨閾惧紑婧愭枃妗o紝鐢ㄦ埛鎵嬪唽鐨勬潈闄愮鐞嗘ā鍧椼€傦級
* **consensus**
consensus涓鸿妭鐐硅瘉涔︾殑涓€绉嶃€傞€氬父绉颁负鍏辫瘑鑺傜偣璇佷功銆傝璇佷功閫氬父棰佸彂缁機hainMaker鐨勫叡璇嗚妭鐐癸紝鍏辫瘑鑺傜偣鐢ㄥ叡璇嗚妭鐐硅瘉涔﹀弬涓庨摼涓婄殑鍏辫瘑鎶曠エ銆佺鍚嶃€佹牎楠屻€侀€氫俊绛夋搷浣溿€�
* **common**
common涓鸿妭鐐硅瘉涔︾殑涓€绉嶃€傞€氬父绉颁负鍚屾鑺傜偣璇佷功銆傝璇佷功閫氬父棰佸彂缁機hainMaker鐨勫悓姝ヨ妭鐐癸紝鍚屾鑺傜偣鐨勬牎楠岋紝绛惧悕銆侀€氫俊鐨勬搷浣滈渶瑕佸悓姝ヨ妭鐐圭殑tls鍜宻ign璇佷功銆�
### 鍦烘櫙妯℃嫙
璇ュ満鏅笅锛屼互闆嗗洟涓哄熀纭€锛屼互澶氫釜鍒嗗叕鍙镐负鍙備笌鏂规瀯寤轰竴鏉″尯鍧楅摼銆�
鍒嗗叕鍙稿湪閾句笂鏄粍缁囩殑韬唤銆傚垎鍏徃涓嬬殑閮ㄩ棬锛屽湪閾句笂鏄敤鎴峰拰鑺傜偣鐨勮韩浠姐€�
鍦ㄨ繖绉嶅満鏅笅锛岄泦鍥互root璇佷功鐨勮韩浠界粰鎵€鏈夊垎鍏徃棰佸彂涓棿ca璇佷功锛堢粍缁囪瘉涔︼級銆�
鍒嗗叕鍙哥敤鍚勮嚜鐨勪腑闂碿a璇佷功缁欒嚜宸辩殑閮ㄩ棬棰佸彂鐢ㄦ埛鍜岃妭鐐硅瘉涔︺€�
### X.509璇佷功瀛楁瑙勮寖
鍦–hainMaker璇佷功浣撶郴閲岋紝X.509璇佷功鏍煎紡鐨勪互涓嬪瓧娈靛仛鍑轰簡鍏蜂綋鐨勮鑼冿細
#### 甯哥敤瀛楁
| 瀛楁 | 璇佷功绫诲瀷 | 鍏ㄧО | 濉啓鍐呭 | 鍚箟 |
| :--------------: | :------: | :----------------: | :-------------: | :----------------------------: |
| O | 缁熶竴 | Organization | OrgId | 缁勭粐ID<br />锛堢粍缁囩殑鍞竴鏍囪瘑锛� |
| OU | 缁熶竴 | OrganizationalUnit | 璇佷功瑙掕壊绫诲瀷* | 瑙掕壊 |
| CN | CA璇佷功 | CommonName | root/ca | |
| CN | 鐢ㄦ埛璇佷功 | CommonName | UserId | 鐢ㄦ埛ID<br />锛堢敤鎴峰敮涓€鏍囪瘑锛� |
| CN | 鑺傜偣璇佷功 | CommonName | xxx.xxx.xxx.com | 鑺傜偣鐪熷疄鍩熷悕锛堥摼涓婂敮涓€锛� |
| DNSNames锛圫ANS锛� | 鑺傜偣璇佷功 | DNSNames | xxx.xxx.xxx.com | 鑺傜偣鐪熷疄鍩熷悕 |
***璇佷功瑙掕壊绫诲瀷**锛歳oot/ca/admin/client/consensus/common 鍏卞叚绉嶉€夋嫨銆�
* O瀛楁锛屽嵆X.509璇佷功鐨凮rganization瀛楁锛屾垜浠姹傛墍鏈夎瘉涔﹀繀椤诲~鍐欑粍缁囩殑鍞竴鏍囪瘑锛岄渶瑕佷笌ChainMaker鍚姩鏃堕厤缃殑OrgId缁熶竴銆�
* OU瀛楁锛屽嵆X.509璇佷功鐨凮rganizationalUnit瀛楁锛屾垜浠姹傛墍鏈夎瘉涔﹀繀椤诲~鍐機hainMaker璇佷功6绉嶈鑹茬殑鍏朵腑涓€绉嶃€�
* CN瀛楁锛屽嵆X.509璇佷功鐨凜ommonName瀛楁锛孋A璇佷功鏍规嵁瀹為檯鐨勮瘉涔﹁鑹插~鍐檙oot鎴栬€卌a銆傜敤鎴疯瘉涔﹀~鍐欑敤鎴风殑鍞竴鏍囪瘑锛孶serId銆傝妭鐐硅瘉涔﹀~鍐欒妭鐐圭殑鐪熷疄鍩熷悕淇℃伅銆傚悓涓€鑺傜偣锛堢敤鎴凤級鐨則ls鍜宻ign璇佷功锛孋N瀛楁搴旇鐩稿悓銆�
* DNSNames瀛楁锛岃妭鐐硅瘉涔﹀~鍐欒妭鐐圭殑鐪熷疄鍩熷悕淇℃伅锛屽叾浣欎笉浣滆姹傘€�
#### KeyUsage
X.509鐨凨eyUsage瀛楁锛屽叿浣撶敤娉曚粙缁嶈鍙傜収RFC 5280鏍囧噯
鏍规嵁璇佷功瑙掕壊鍜岃瘉涔︾殑浣跨敤鏂瑰紡锛屾垜浠瀛楁KeyUsage杩涜浜嗗叿浣撹瀹氾細
* **admin/client/consensus/common :**
* **tls-sign :** x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment
* **tls-enc :** x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement
* **tls:** x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement |x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment
* **sign :** x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment
* **ca/root :**
* **tls :** x509.KeyUsageCertSign | x509.KeyUsageCRLSign
* **sign :** x509.KeyUsageCertSign | x509.KeyUsageCRLSign
#### ExtKeyUsage
X.509鐨凟xtKeyUsage瀛楁锛屽叿浣撶敤娉曚粙缁嶈鍙傜収RFC 5280鏍囧噯
鏍规嵁璇佷功瑙掕壊鍜岃瘉涔︾殑浣跨敤鏂瑰紡锛屾垜浠瀛楁KeyUsage杩涜浜嗗叿浣撹瀹氾細
* **consensus/common :**
* **tls:** {ExtKeyUsageServerAuth, ExtKeyUsageClientAuth}
* **tls-enc:** {ExtKeyUsageServerAuth, ExtKeyUsageClientAuth}
* **tls-sign:** {ExtKeyUsageServerAuth, ExtKeyUsageClientAuth}
* **admin/client锛�**
* **tls:** {ExtKeyUsageClientAuth}
* **tls-sign:** {ExtKeyUsageClientAuth}
* **tls-enc:** {ExtKeyUsageClientAuth}
## 璇佷功寤舵湡
閫氳繃鎻愪緵鐨勮瘉涔N锛屾壘鍒版棫璇佷功锛屽湪鏃ц瘉涔︾殑鍩虹涓婏紝浠ユ棫璇佷功鐨勪俊鎭负鍩虹锛屽寘鎷琒N瀛楁锛屽湪鏃ц瘉涔︾殑鏈夋晥鏈熷熀纭€涓婏紝鐢ㄨ璇佷功鐨勭鍙戣€咃紝閲嶆柊绛惧悕绛惧彂寤舵湡璇佷功銆�
娴佺▼锛�
## 璇佷功鎾ら攢
棣栧厛鍒ゆ柇绛惧彂鑰匰N鏄惁鏄鎾ら攢璇佷功鐨勪笂绾э紝濡傛灉鏄紝灏嗘挙閿€淇℃伅鎻掑叆鏁版嵁搴撲繚瀛樸€傛挙閿€鏃ユ湡浠ユ挙閿€鍔ㄤ綔璧凤紝鍒拌瘉涔︾殑澶辨晥鏈熺粨鏉燂紙姘镐箙鍚婇攢锛夈€傜劧鍚庯紝鐢熸垚璇ョ鍙戣€呰瘉涔︿笅鎵€鏈夋挙閿€鐨勮瘉涔﹀垪琛紙CRL锛夊苟杩斿洖銆�
娴佺▼锛�
## 鏈嶅姟鍚姩
娴佺▼锛�
