# CA璇佷功鏈嶅姟浣跨敤璇﹁В
CA璇佷功鏈嶅姟璁捐閾炬帴锛歔CA璇佷功鏈嶅姟璁捐](../tech/CA璇佷功鏈嶅姟.md)
## 鍔熻兘浠嬬粛
1. 鏍规嵁鎻愪緵鐨勪俊鎭敓鎴愬叕绉侀挜鍜岀鍙戝崟涓瘉涔︼紝骞朵繚瀛樿瘉涔﹀拰瀵嗛挜锛坮oot瀵嗛挜涓嶄綔淇濆瓨锛屽彧鐢熸垚鏂囦欢锛夈€�
2. 閫氳繃CSR鏂囦欢绛惧彂鍗曚釜璇佷功锛屽苟淇濆瓨璇佷功銆�
3. 鍙互寤舵湡鏌愪釜鍏蜂綋璇佷功鐨勬湁鏁堟湡銆�
4. 鍙互閫氳繃璇佷功閾句笂鐨凜A璇佷功鎾ら攢鏌愪釜璇佷功銆�
5. 鑳藉鐢熸垚CA璇佷功鐨勬渶鏂扮殑鎾ら攢鍒楄〃鏂囦欢锛圕RL鏂囦欢锛夈€�
6. root璇佷功鍙互閫夋嫨閰嶇疆鎴栬€呰嚜绛剧敓鎴愩€�
7. 鍙互閰嶇疆涓嶅悓鐨勫惎鍔ㄦ柟寮忥紝鐢ㄦ潵鍖哄垎tls鍜宻ign璇佷功鐨勭鍙戙€�
8. 鍙互绛惧彂鍗曠嫭浣跨敤鐨則ls鍔犲瘑鎴栬€呯鍚嶈瘉涔︼紙鍥藉瘑鏍囧噯锛宼ls鍙岃瘉涔︼級銆�
9. 鍙互閰嶇疆涓棿璇佷功鍚姩锛屼繚鎶oot璇佷功銆�
10. 鎻愪緵寮€鍚瘑閽ユ枃浠跺姞瀵嗗姛鑳姐€�
<span id="deploy"></span>
## 瀹夎閮ㄧ讲
### 鐜渚濊禆
* golang
* 鐗堟湰涓�1.16鎴栦互涓�
* 涓嬭浇鍦板潃锛歨ttps://golang.org/dl/
### 浠g爜涓嬭浇
```sh
$ git clone --depth=1 https://git.chainmaker.org.cn/chainmaker/chainmaker-ca.git
```
### 杩愯鍚姩
#### 淇敼mysql鏁版嵁搴撹繛鎺ラ厤缃�
```shell
$ cd src/conf/
$ vi config.yaml # 閰嶇疆mysql鏁版嵁搴擄紝鎵撳紑config.yaml锛屼慨鏀筪b_config
```
#### 閮ㄧ讲鍚姩
- 鏂瑰紡涓€锛�
**鍑嗗骞跺惎鍔╩ysql鏁版嵁搴�**
mysql
* 鐗堟湰8.0鍙婁互涓�
* 涓嬭浇鍦板潃锛歨ttps://dev.mysql.com/downloads/installer/
**缂栬瘧chainmaker-ca绋嬪簭**
```shell
$ cd src/
$ go build -o chainmaker-ca
```
**鍚姩绋嬪簭**
```shell
$ cd src/
$ ./chainmaker-ca -config ./conf/config.yaml
```
- 鏂瑰紡浜岋細
**鍑嗗docker鍩虹闀滃儚**
mysql: 8.0, golang:1.16.2, centos:7.6.1810
**鍚姩docker瀹瑰櫒鑴氭湰**
```shel
$ sh deploy.sh
```
## 閰嶇疆鏂囦欢璇﹁В
鐩綍锛歚``src/conf/config.yaml```
閰嶇疆鏂囦欢涓昏鏄互涓嬪嚑閮ㄥ垎鏋勬垚锛�
### base config
CA鏈嶅姟鐨勫熀纭€閰嶇疆
```yaml
# Base config
base_config:
server_port: 8090 #鏈嶅姟绔彛
ca_type: single_root #鍚姩妯″紡锛歞ouble_root/single_root/tls/sign
expire_year: 2 #绛惧彂鏈夋晥骞撮檺
expire_month: 6 #绛惧彂鏈夋晥鏈堜唤锛堜紭鍏堢骇楂樹簬骞撮檺锛�
hash_type: SHA256 #浣跨敤鍝堝笇绫诲瀷锛歋HA256/SHA3_256/SM3
key_type: ECC_NISTP256 #浣跨敤瀵嗛挜绫诲瀷锛欵CC_NISTP256/SM2/RSA2048
can_issue_ca: true #鏄惁鑳界户缁鍙慍A璇佷功
provide_service_for: [org1,org2] #鎻愪緵鏈嶅姟鐨勭粍缁囧垪琛�(鑻ヤ笉閰嶇疆锛屽垯涓嶉檺鍒剁粍缁�)
key_encrypt: false #瀵嗛挜鏄惁鍔犲瘑
access_control: true #鏄惁寮€鍚闂帶鍒�
default_domain: chainmaker.org #璇佷功閲岀殑鍩熷悕(濡傛灉涓嶅紑鍚厤缃紝鍒欎笉浼氬~鍐�)
```
***娉�**
* SM2鍜孲M3蹇呴』瑕佹惌閰嶄娇鐢�
* **ca_type:**
CA鍚姩妯″紡锛屽彲浠ュ皢tls鍜宻ign璇佷功绛惧彂鏈嶅姟鍒嗙閮ㄧ讲銆�
- tls锛岃鏈嶅姟鍙彁渚涗负tls璇佷功鐨勭鍙戞湇鍔°€�
- sign锛岃鏈嶅姟鍙彁渚泂ign璇佷功鐨勭鍙戞湇鍔°€�
- single_root锛屽彲浠ヤ负tls鍜宻ign璇佷功鍚屾椂鎻愪緵绛惧彂鏈嶅姟锛屼娇鐢ㄤ竴涓猺oot CA璇佷功銆�
- double_root锛屽彲浠ヤ负tls鍜宻ign璇佷功鍚屾椂鎻愪緵绛惧彂鏈嶅姟锛屼娇鐢ㄤ袱涓猺oot CA璇佷功銆�
* **can_issue_ca:**
鍦ㄦ墍鎻愪緵鏈嶅姟鐨勭粍缁囧唴锛屾槸鍚﹁兘澶熺鍙戜腑闂碈A璇佷功銆�
* **provide_service_for:**
瀵瑰垪琛ㄤ腑鐨勭粍缁囨彁渚涚鍙戞湇鍔°€傚彲浠ヤ粎閰嶇疆涓€涓粍缁囷紝鍙负鍗曚釜鎻愪緵鏈嶅姟銆備篃鍙互閰嶇疆澶氫釜锛屽悜澶氫釜缁勭粐鎻愪緵绛惧彂鏈嶅姟銆傚鏋滀笉閰嶇疆锛屽垯涓轰换浣曠粍缁囨湇鍔°€�
* **key_encrypt:**
鎻愪緵瀵嗛挜鏂囦欢鍔犲瘑鐨勫紑鍏炽€傚鏋滃紑鍚紝瀵嗛挜浼氶噰鐢≒EMCipherAES256鍔犲瘑鏂瑰紡锛屽姞瀵嗗瘑閽ユ枃浠躲€傦紙root瀵嗛挜涓嶅瓨鍌紝涔熶笉鍔犲瘑锛�
* **access_control:**
璁块棶鎺у埗寮€鍏筹紝濡傛灉寮€鍚紝璁块棶灏嗘湇鍔$殑鎵€鏈夋帴鍙i渶瑕佹惡甯oken璁块棶銆�
### root config
root 璇佷功鐨勮矾寰勫拰CSR閰嶇疆
```yaml
# Root CA config
root_config:
cert:
-
cert_type: tls #root璇佷功鐨勭被鍨嬶細tls/sign
cert_path: ../crypto-config/rootCA/tls/root-tls.crt #璇佷功鐨勮矾寰�
private_key_path: ../crypto-config/rootCA/tls/root-tls.key #瀵嗛挜鐨勮矾寰�
key_id: SM2TlsKey261 #瀵嗙爜鏈簆kcs11 key id
-
cert_type: sign
cert_path: ../crypto-config/rootCA/sign/root-sign.crt
private_key_path: ../crypto-config/rootCA/sign/root-sign.key
key_id: SM2SignKey262
csr:
CN: root.org-wx #璇佷功鐨勪俊鎭殑CN瀛楁
O: org-wx #璇佷功鐨勪俊鎭殑O瀛楁
OU: root #璇佷功鐨勪俊鎭殑OU瀛楁
country: CN #璇佷功鐨勪俊鎭殑country瀛楁
locality: Beijing #璇佷功鐨勪俊鎭殑locality瀛楁
province: Beijing #璇佷功鐨勪俊鎭殑province瀛楁
```
* **cert_type:**
璇佷功鐨勮矾寰勭被鍨嬶紝濡傛灉CA鐨勫惎鍔ㄦ柟寮忔槸double_root锛岄渶瑕佸悓鏃堕厤缃畉ls鍜宻ign涓ょ绫诲瀷鐨勮瘉涔﹁矾寰勩€傚鏋淐A鍚姩鏂瑰紡鏄痵ingle_root锛岄渶瑕侀厤缃畇ign绫诲瀷鐨勮瘉涔﹁矾寰勩€�
* **csr锛堥€夊~锛�:**
* 涓嶅~锛氳鍙朿ert鐩綍涓嬬殑root璇佷功鍚姩鏈嶅姟銆�
* 濉啓锛氫互CSR閰嶇疆鑷root璇佷功鍚姩鏈嶅姟銆�
鍏朵腑锛孫U瀛楁闇€瑕佺鍚坈hainmaker鐨勮瘉涔︽牎楠岃鑼冿紝鍚﹀垯閾句笂浼氭牎楠屽け璐ャ€傞渶瑕佸~鍐檙oot銆�
### intermediate_config
**鍙€夐厤缃�**
涓棿CA鐨勭敓鎴愰厤缃�
```yaml
# intermediate config
intermediate_config:
-
csr:
CN: ca.org1
O: org1
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2TlsKey261
-
csr:
CN: ca.org2
O: org2
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2TlsKey262
```
### access_control_config
**鍙€夐厤缃�**
璁块棶鎺у埗璐﹀彿閰嶇疆
```yaml
access_control_config:
-
app_role: admin #瑙掕壊
app_id: admin #璐︽埛ID
app_key: passw0rd #璐︽埛鍙d护
-
app_role: user
app_id: user1
app_key: passw0rd
```
* **app_role**
* admin : 鎵€鏈夋潈闄�
* user 锛氫笉鑳借繘琛屽悐閿€銆佸欢鏈熻瘉涔︺€傚彧鑳界敵璇凤紝鏌ヨ璇佷功銆�
### database config锛圡ySQL锛�
鏁版嵁搴撲俊鎭厤缃�
```yaml
db_config:
user: root #鐢ㄦ埛鍚�
password: 123456 #瀵嗙爜
ip: 127.0.0.1 #鏁版嵁搴撴湇鍔″櫒鐨処P鍦板潃
port: 3306 #鏁版嵁搴撴湇鍔″櫒鐨勭鍙e彿
dbname: chainmaker_ca #寤虹珛鐨勬暟鎹簱鐨勫悕绉�
```
### log config
鏃ュ織鐩稿叧閰嶇疆
```yaml
log_config:
level: error #鏃ュ織绛夌骇
filename: ../log/ca.log #鏃ュ織瀛樺彇璺緞
max_size: 1 #鍦ㄨ繘琛屽垏鍓蹭箣鍓嶏紝鏃ュ織鏂囦欢鐨勬渶澶уぇ灏忥紙浠B涓哄崟浣嶏級
max_age: 30 #淇濈暀鏃ф枃浠剁殑鏈€澶уぉ鏁�
max_backups: 5 #淇濈暀鏃ф枃浠剁殑鏈€澶т釜鏁�
```
### pkcs11 config
纭欢鏈哄瘑鏈虹浉鍏抽厤缃�
```yaml
pkcs11_config:
enabled: false # pkcs11纭欢鍔犲瘑寮€鍏炽€�
library: /usr/local/lib64/pkcs11/libupkcs11.so # pkcs11杩炴帴搴撳湴鍧€銆�
label: HSM # slot 鏍囩
password: 11111111 # HSM token鐧诲綍瀵嗙爜
session_cache_size: 10 # session 缂撳瓨澶у皬
hash: "SHA256" # 鍝堝笇绠楁硶
```
## 鍙儴缃叉柟寮�
### 閰嶇疆鏂囦欢鐨勪娇鐢�
**闆嗕腑寮�1锛�**
1. 灞炰簬闆嗕腑寮忛儴缃诧紝涓哄涓粍缁囨彁渚涙湇鍔★紝base_config.provide_service_for闇€瑕侀厤缃涓粍缁囥€�
2. 鍚敤澶氫釜涓棿CA锛宨ntermediate_config闇€瑕侀厤缃涓€�
3. 涓嶅厑璁哥户缁鍙戜腑闂碈A璇佷功锛宐ase_config.can_issue_ca涓篺alse銆�
**闆嗕腑寮�2锛�**
1. 灞炰簬闆嗕腑寮忛儴缃诧紝涓哄涓粍缁囨彁渚涙湇鍔★紝base_config.provide_service_for闇€瑕侀厤缃涓粍缁囥€�
2. 鍚敤鍗曚釜涓棿CA璇佷功锛宨ntermediate_config闇€瑕侀厤缃竴涓€�
3. 涓嶅厑璁哥户缁鍙戜腑闂碈A璇佷功锛宐ase_config.can_issue_ca涓篺alse銆�
**鍒嗗竷寮�1锛�**
灞炰簬鍒嗗竷寮忓拰闆嗕腑娣峰悎閮ㄧ讲鏂瑰紡
* 闆嗕腑寮忛儴鍒�
1. 涓哄涓粍缁囨彁渚涙湇鍔★紝base_config.provide_service_for闇€瑕侀厤缃涓粍缁囥€�
2. 娌℃湁鍚敤閰嶇疆涓棿CA璇佷功锛宨ntermediate_config涓嶉渶瑕侀厤缃€�
3. 鍏佽缁х画绛惧彂涓棿CA璇佷功锛宐ase_config.can_issue_ca涓簍ure銆�
* 鍒嗗竷寮忛儴鍒嗭細
1. 涓轰竴涓粍缁囨彁渚涙湇鍔★紝base_config.provide_service_for闇€瑕侀厤缃崟涓粍缁囥€�
2. root璇佷功閫夋嫨閰嶇疆鍚姩锛宺oot_config.csr閮ㄥ垎涓嶉渶瑕侀厤缃€�
3. 娌℃湁鍚敤閰嶇疆涓棿CA璇佷功锛宨ntermediate_config涓嶉渶瑕侀厤缃€�
4. 涓嶅厑璁哥户缁鍙戜腑闂碈A璇佷功锛宐ase_config.can_issue_ca涓篺alse銆�
**鍒嗗竷寮�2锛�**
1. 灞炰簬鍒嗗竷寮忛儴缃诧紝涓哄崟涓粍缁囨彁渚涙湇鍔★紝base_config.provide_service_for鍙渶瑕侀厤缃竴涓粍缁囥€�
2. 鍚敤閰嶇疆涓€涓腑闂碈A璇佷功锛宨ntermediate_config闇€瑕侀厤缃竴涓€�
3. 涓嶅厑璁哥户缁鍙戜腑闂碈A璇佷功锛宐ase_config.can_issue_ca涓篺alse銆�
## 鏈嶅姟鎺ュ彛
### Code涓嶮sg
| Code | Msg | 鍚箟 |
| :--: | :-----------------------------------------: | :----------: |
| 200 | The request service returned successfully | 鎴愬姛 |
| 202 | Missing required parameters | 杈撳叆鍙傛暟缂哄け |
| 204 | There is an error in the input parameter | 杈撳叆鍙傛暟闈炴硶 |
| 500 | An error occurred with the internal service | 鎵ц鏈嶅姟澶辫触 |
### 浼犲弬鏂瑰紡
缁熶竴涓簉equest body JSON鐨勫舰寮忋€�
### 鐧诲綍鑾峰彇token鎺ュ彛
璇锋眰鍦板潃锛歨ttp://localhost:8090/api/ca/login
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :----: | :----: | :------: | :--: |
| appId | string | 鐧诲綍id | 蹇呭~ |
| appKey | string | 鐧诲綍鍙d护 | 蹇呭~ |
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": {
"accessToken": "1111111",
"expiressIn": 7200
}
}
```
| 瀛楁 | 绫诲瀷 | 鍚箟 |
| :---------: | :----: | :------------: |
| accessToken | string | token鍊� |
| expiressIn | number | 杩囨湡鏃堕棿锛堢锛� |
<span id="apply_cert"></span>
### 鐢宠璇佷功
浠庡垱寤哄瘑閽ュ鍒拌瘉涔︼紝涓€姝ュ畬鎴愩€�
璇锋眰URL锛歨ttp://localhost:8090/api/ca/gencert
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :-----------: | :----: | :--------------: | :---: |
| orgId | string | 缁勭粐ID | 蹇呭~ |
| userId | string | 鐢ㄦ埛ID | *閫夊~ |
| userType | string | 鐢ㄦ埛绫诲瀷 | 蹇呭~ |
| certUsage | string | 璇佷功鐢ㄩ€� | 蹇呭~ |
| privateKeyPwd | string | 瀵嗛挜瀵嗙爜 | 閫夊~ |
| country | string | 璇佷功瀛楁锛堝浗瀹讹級 | 蹇呭~ |
| locality | string | 璇佷功瀛楁锛堝煄甯傦級 | 蹇呭~ |
| province | string | 璇佷功瀛楁锛堢渷浠斤級 | 蹇呭~ |
| token | string | token | 閫夊~ |
* userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
* certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc
*娉細
* userId 鍙湁鍦ㄧ敵璇风殑鐢ㄦ埛绫诲瀷鏄痗a鐨勭被鍨嬫椂锛屽彲浠ュ~鍐欎负绌恒€傚湪鐢宠鑺傜偣璇佷功鏃讹紝闇€瑕佷繚璇侀摼涓婅妭鐐笽D鍞竴銆�
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": {
"certSn": 4523845175273844671,
"issueCertSn": 1146073575643658842,
"cert": "-----BEGIN CERTIFICATE-----\nMIIChjCCAiugAwIBAgIIPsftN/MP778wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTI0MjdaFw0yMjA5\nMTQwOTI0MjdaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcxMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\nRB+oQkJscRI1emYcYGMHx1AU/f9bkMOuqSdNspv6LjvdEftlBOVO7mazi5J4Ve8l\nHb65jLfnG6fBMZ7a0v5Vo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIGUw1TBs0Tw0Ud3HH/80neNM\nBhFcJ4u2vlzMd59943M6MCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czEwCgYIKoZIzj0EAwID\nSQAwRgIhAPs+jzEu9H177kgyb3iFYM/LuIHNUaIsLnUAKZq9jW3NAiEA9iGP1sg3\nUXWIFW7mpRwzzakdJPkz8l+4ZPzV2nzEOjI=\n-----END CERTIFICATE-----\n",
"privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIL2vmKiNl3hymnVvjkD3f9xrGAmvJCZEkGD4VwueObaPoAoGCCqGSM49\nAwEHoUQDQgAEOkQfqEJCbHESNXpmHGBjB8dQFP3/W5DDrqknTbKb+i473RH7ZQTl\nTu5ms4uSeFXvJR2+uYy35xunwTGe2tL+VQ==\n-----END EC PRIVATE KEY-----\n"
}
}
```
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| ----------- | ------ | ------------ | ---- |
| cert | string | 璇佷功鍐呭 | |
| privateKey | string | 瀵嗛挜鍐呭 | |
| certSn | number | 璇佷功搴忓垪鍙� | |
| issueCertSn | number | CA璇佷功搴忓垪鍙� | |
### 鐢宠CSR
璇锋眰URL锛� http://localhost:8090/api/ca/gencsr
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :-----------: | :----: | :--------------: | :---: |
| orgId | string | 缁勭粐ID | 蹇呭~ |
| userId | string | 鐢ㄦ埛ID | *閫夊~ |
| userType | string | 鐢ㄦ埛绫诲瀷 | 蹇呭~ |
| privateKeyPwd | string | 瀵嗛挜瀵嗙爜 | 閫夊~ |
| country | string | 璇佷功瀛楁锛堝浗瀹讹級 | 蹇呭~ |
| locality | string | 璇佷功瀛楁锛堝煄甯傦級 | 蹇呭~ |
| province | string | 璇佷功瀛楁锛堢渷浠斤級 | 蹇呭~ |
| token | string | token | *閫夊~ |
* userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
*娉細
* userId 鍙湁鍦ㄧ敵璇风殑鐢ㄦ埛绫诲瀷鏄痗a鐨勭被鍨嬫椂锛屽彲浠ュ~鍐欎负绌恒€傚湪鐢宠鑺傜偣璇佷功鏃讹紝闇€瑕佷繚璇侀摼涓婅妭鐐笽D鍞竴銆�
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBHjCBxQIBADBjMQ4wDAYDVQQGEwVjaGluYTEQMA4GA1UECBMHYmVpamluZzEQ\nMA4GA1UEBxMHaGFpZGlhbjENMAsGA1UEChMEb3JnNzEOMAwGA1UECxMFYWRtaW4x\nDjAMBgNVBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaRv9OA2Z\nm/GcJibe/77u8lpABOLOVGgHzAzOd/h+9+Kq4+46CjXaISxEeTrqEMhLKCjcM1Bb\nm8jF5rWiQCFKFaAAMAoGCCqGSM49BAMCA0gAMEUCIFYjsphgIcInLjdhyYtILnFR\nJH7T/vahNbut8OvEgQ9tAiEAsNxL8xw+hGfhd9NgrxEx3Fv9Vj6wv1X3jaHvljME\n76U=\n-----END CERTIFICATE REQUEST-----\n"
}
```
### 閫氳繃CSR鐢宠璇佷功
璇锋眰URL锛歨ttp://localhost:8090/api/ca/gencertbycsr
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :-------: | :----: | :-------: | :---: |
| orgId | string | 缁勭粐ID | 蹇呭~ |
| userId | string | 鐢ㄦ埛ID | *閫夊~ |
| userType | string | 鐢ㄦ埛绫诲瀷 | 蹇呭~ |
| certUsage | string | 璇佷功鐢ㄩ€� | 蹇呭~ |
| csr | string | csr鏂囦欢娴� | 蹇呭~ |
| token | string | token | 閫夊~ |
* userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
* certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc
*娉細
* userId 鍙湁鍦ㄧ敵璇风殑鐢ㄦ埛绫诲瀷鏄痗a鐨勭被鍨嬫椂锛屽彲浠ュ~鍐欎负绌恒€傚湪鐢宠鑺傜偣璇佷功鏃讹紝闇€瑕佷繚璇侀摼涓婅妭鐐笽D鍞竴銆�
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": {
"certSn": 1752004958408437983,
"issueCertSn": 1146073575643658842,
"cert": "-----BEGIN CERTIFICATE-----\nMIIChDCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMjA5\nMTQwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nRwAwRAIgQyvmQDV4WYUnDRmI8vkm5pXwxvACscJ5pCqjT60SFsUCIDkEK+uURJBJ\ndnzPNSF8HWcMBiNKbWeSZtZ3EtPWlyHp\n-----END CERTIFICATE-----\n"
}
}
```
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| ----------- | ------ | ------------ | ---- |
| cert | string | 璇佷功鍐呭 | |
| certSn | number | 璇佷功搴忓垪鍙� | |
| issueCertSn | number | CA璇佷功搴忓垪鍙� | |
<span id="query_cert"></span>
### 澶氭潯浠舵煡璇㈣瘉涔�
璇锋眰URL锛歨ttp://localhost:8090/api/ca/querycerts
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :-------: | :----: | :--------: | :--: |
| orgId | string | 缁勭粐ID | 閫夊~ |
| userId | string | 鐢ㄦ埛ID | 閫夊~ |
| userType | string | 鐢ㄦ埛绫诲瀷 | 閫夊~ |
| certUsage | string | 璇佷功鐢ㄩ€� | 閫夊~ |
| certSn | number | 璇佷功搴忓垪鍙� | 閫夊~ |
| token | string | token | 閫夊~ |
* userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
* certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": [
{
"userId": "consensus1",
"orgId": "org1",
"userType": "consensus",
"certUsage": "tls",
"certSn": 4523845175273844671,
"issuerSn": 1146073575643658842,
"certContent": "-----BEGIN CERTIFICATE-----\nMIIChjCCAiugAwIBAgIIPsftN/MP778wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTI0MjdaFw0yMjA5\nMTQwOTI0MjdaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcxMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\nRB+oQkJscRI1emYcYGMHx1AU/f9bkMOuqSdNspv6LjvdEftlBOVO7mazi5J4Ve8l\nHb65jLfnG6fBMZ7a0v5Vo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIGUw1TBs0Tw0Ud3HH/80neNM\nBhFcJ4u2vlzMd59943M6MCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czEwCgYIKoZIzj0EAwID\nSQAwRgIhAPs+jzEu9H177kgyb3iFYM/LuIHNUaIsLnUAKZq9jW3NAiEA9iGP1sg3\nUXWIFW7mpRwzzakdJPkz8l+4ZPzV2nzEOjI=\n-----END CERTIFICATE-----\n",
"expirationDate": 1663147467,
"isRevoked": false
},
{
"userId": "consensus2",
"orgId": "org2",
"userType": "consensus",
"certUsage": "tls",
"certSn": 1752004958408437983,
"issuerSn": 1146073575643658842,
"certContent": "-----BEGIN CERTIFICATE-----\nMIIChDCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMjA5\nMTQwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nRwAwRAIgQyvmQDV4WYUnDRmI8vkm5pXwxvACscJ5pCqjT60SFsUCIDkEK+uURJBJ\ndnzPNSF8HWcMBiNKbWeSZtZ3EtPWlyHp\n-----END CERTIFICATE-----\n",
"expirationDate": 1663148026,
"isRevoked": false
}
]
}
```
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :------------: | :-----: | :--------------: | :--------: |
| certSn | number | 璇佷功搴忓垪鍙� | |
| issuerSn | number | 绛惧彂鑰呰瘉涔﹀簭鍒楀彿 | |
| certContent | string | 璇佷功鍐呭 | |
| userId | string | 鐢ㄦ埛ID | |
| orgId | string | 缁勭粐ID | |
| userType | string | 鐢ㄦ埛绫诲瀷 | |
| certUsage | string | 璇佷功鐢ㄩ€� | |
| expirationDate | number | 鍒版湡鏃堕棿 | unix鏃堕棿鎴� |
| isRevoked | boolean | 鏄惁琚挙閿€ | |
<span id="renewcert"></span>
### 寤舵湡璇佷功
璇锋眰URL锛歨ttp://localhost:8090/api/ca/renewcert
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :----: | :----: | :--------: | :--: |
| certSn | number | 璇佷功搴忓垪鍙� | 蹇呭~ |
| token | string | token | 閫夊~ |
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": {
"certSn": 1752004958408437983,
"issueCertSn": 1146073575643658842,
"cert": "-----BEGIN CERTIFICATE-----\nMIIChTCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMzAz\nMTMwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nSAAwRQIhAOdDmyl0xI3cAxahOXc5pe8RYvl4OquK8jco0E+eqU+LAiBlxgWg1CqW\nk4a1oJF+LK/e1cUXnctf/6NqJLycIElwkA==\n-----END CERTIFICATE-----\n"
}
}
```
### 鎾ら攢璇佷功
璇锋眰URL锛歨ttp://localhost:8090/api/ca/revokecert
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :-----------: | :----: | :--------------------: | :--: |
| revokedCertSn | number | 璇佷功搴忓垪鍙� | 蹇呭~ |
| issuerCertSn | number | 鎾ら攢鑰咃紙ca锛夎瘉涔﹀簭鍒楀彿 | 蹇呭~ |
| reason | string | 鎾ら攢鍘熷洜 | 閫夊~ |
| token | string | token | 閫夊~ |
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": "-----BEGIN CRL-----\nMIIBNTCB3AIBATAKBggqhkjOPQQDAjBfMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH\nQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMEb3JnMTELMAkGA1UE\nCxMCY2ExEDAOBgNVBAMTB2NhLm9yZzgXDTIxMDYxMTA5NTQ0M1oXDTIxMDYxMTEw\nNTQ0M1owGzAZAggdEyilMlypBhcNMjMwNjExMDkxODA2WqAvMC0wKwYDVR0jBCQw\nIoAgyQvrO7BQev3fQxYIUIroQcF7HbmWFM/A7Ko2Etu9hCMwCgYIKoZIzj0EAwID\nSAAwRQIgFslGwq9Bb9a4wrOSatqRwRu9E0QMmCavrgr6GQRn5fcCIQDCV8mAepI9\nDLEbHtDHqzJ/CrGcRMJWL3gYzBNhWE/yLQ==\n-----END CRL-----\n"
}
```
### 鑾峰彇鏌愪釜CA鐨勬渶鏂扮殑鎾ら攢鍒楄〃
璇锋眰URL锛歨ttp://localhost:8090/api/ca/gencrl
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :----------: | :----: | :----------: | :--: |
| issuerCertSn | number | CA璇佷功搴忓垪鍙� | 蹇呭~ |
| token | string | token | 閫夊~ |
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": "-----BEGIN CRL-----\nMIIBNTCB3AIBATAKBggqhkjOPQQDAjBfMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH\nQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMEb3JnMTELMAkGA1UE\nCxMCY2ExEDAOBgNVBAMTB2NhLm9yZzgXDTIxMDYxMTA5NTQ0M1oXDTIxMDYxMTEw\nNTQ0M1owGzAZAggdEyilMlypBhcNMjMwNjExMDkxODA2WqAvMC0wKwYDVR0jBCQw\nIoAgyQvrO7BQev3fQxYIUIroQcF7HbmWFM/A7Ko2Etu9hCMwCgYIKoZIzj0EAwID\nSAAwRQIgFslGwq9Bb9a4wrOSatqRwRu9E0QMmCavrgr6GQRn5fcCIQDCV8mAepI9\nDLEbHtDHqzJ/CrGcRMJWL3gYzBNhWE/yLQ==\n-----END CRL-----\n"
}
```
<span id="get_nodeId"></span>
### 鑾峰彇鑺傜偣TLS璇佷功鐨凬odeID
璇锋眰URL锛歨ttp://localhost:8090/api/ca/getnodeid
璇锋眰鏂瑰紡锛歅OST
璇锋眰鍙傛暟锛�
鏉′欢鏌ユ壘鏂瑰紡锛�
| 瀛楁 | 绫诲瀷 | 鍚箟 | 澶囨敞 |
| :-------: | :----: | :------: | :--: |
| orgId | string | 缁勭粐ID | 蹇呭~ |
| userId | string | 鐢ㄦ埛ID | 蹇呭~ |
| userType | string | 鐢ㄦ埛绫诲瀷 | 蹇呭~ |
| certUsage | string | 璇佷功鐢ㄩ€� | 蹇呭~ |
| token | string | token | 閫夊~ |
搴忓垪鍙锋煡鎵炬柟寮忥細
| 瀛楁 | 绫讳技 | 鍚箟 | 澶囨敞 |
| :----: | :----: | :--------: | :--: |
| certSn | number | 璇佷功搴忓垪鍙� | 蹇呭~ |
| token | string | token | 閫夊~ |
杩斿洖鏁版嵁锛�
```json
{
"code": 200,
"msg": "The request service returned successfully",
"data": "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
}
```
## 浣跨敤妗堜緥
### 妗堜緥涓€锛氫娇鐢ㄥ凡鏈夌粍缁囩殑CA璇佷功锛岄鍙戣妭鐐瑰拰鐢ㄦ埛璇佷功
#### 鐜鍑嗗
+ 宸茬粡鎴愬姛鍚姩鐨勯暱瀹夐摼
璇︽儏鍚姩娴佺▼瑙乕蹇€熷叆闂╙(../recovery/閫氳繃鍛戒护琛屽伐鍏峰惎鍔ㄩ摼)
+ CA鏈嶅姟鐨勯厤缃枃浠讹紙绀轰緥锛�
```yaml
# log config
log_config:
level: info # The log level
filename: ../log/ca.log # The path to the log file
max_size: 1 # The maximum size of the log file before cutting (MB)
max_age: 30 # The maximum number of days to retain old log files
max_backups: 5 # Maximum number of old log files to keep
# db config
db_config:
user: root
password: 123456
ip: 127.0.0.1
port: 13306
dbname: chainmaker_ca
# Base config
base_config:
server_port: 8090 # Server port configuration
ca_type: single_root # Ca server type : double_root/single_root/tls/sign
# expire_year: 2 # The expiration time of the certificate (year)
expire_month: 6 # The expiration time of the certificate (month)(high level)
# cert_valid_time : 2m # cert valid time (for testing use only)
hash_type: SHA256 # SHA256/SHA3_256/SM3
key_type: ECC_NISTP256 # ECC_NISTP256/SM2
can_issue_ca: false # Whether can continue to issue CA cert
# provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org]
# A list of organizations that provide services
key_encrypt: false # Whether the key is stored in encryption
access_control: false # Whether to enable permission control
# default_domain: chainmaker.org # the default value for sans in the certificate
pkcs11_config:
enabled: false
library: /usr/local/lib64/pkcs11/libupkcs11.so
label: HSM
password: 11111111
session_cache_size: 10
hash: "SHA256"
# Root CA config
root_config:
cert:
- cert_type: sign # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
cert_path: ../crypto-config/rootCA/root.crt # Certificate file path
private_key_path: ../crypto-config/rootCA/root.key # private key file path
key_id: SM2SignKey261 # pkcs11 key id
# csr:
# CN: root
# O: org-root
# OU: root
# country: CN
# locality: Beijing
# province: Beijing
# access control config
access_control_config:
- app_role: admin
app_id: admin1
app_key: passw0rd
- app_role: user
app_id: user1
app_key: passw0rd
```
淇敼閰嶇疆
```yaml
# Root CA config
root_config:
cert:
- cert_type: sign # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
cert_path: ../crypto-config/rootCA/root.crt # Certificate file path
private_key_path: ../crypto-config/rootCA/root.key # private key file path
key_id: SM2SignKey261 # pkcs11 key id
# csr:
# CN: root
# O: org-root
# OU: root
# country: CN
# locality: Beijing
# province: Beijing
```
闇€瑕佷慨鏀癸細
1. cert_path: 闇€灏嗚璺緞涓嬬殑璇佷功鏂囦欢鏇挎崲鎴愬湪閾句笂宸叉湁缁勭粐鐨刞CA璇佷功鏂囦欢`銆�
涔熷彲鐩存帴鏇挎崲璺緞锛屼絾鏄娉ㄦ剰鐨勬槸锛屽鏋滈噰鐢╠ocker鏂瑰紡鍚姩鐨勮瘽锛岄渶瑕佷慨鏀筪ocker瀹瑰櫒鏂囦欢鐨勬槧灏勮矾寰勶紝淇敼deploy.sh鏂囦欢锛�
```yaml
-v $path/crypto-config:/crypto-config \
```
灏哷$path/crypto-config`鐩綍鏇挎崲
2. private_key_path: 闇€灏嗚璺緞涓嬬殑瀵嗛挜鏂囦欢鏇挎崲鎴愬湪閾句笂宸叉湁缁勭粐鐨刞CA瀵嗛挜鏂囦欢`銆�
涔熷彲鐩存帴鏇挎崲璺緞锛屼絾鏄娉ㄦ剰鐨勬槸锛屽鏋滈噰鐢╠ocker鏂瑰紡鍚姩鐨勮瘽锛岄渶瑕佷慨鏀筪ocker瀹瑰櫒鏂囦欢鐨勬槧灏勮矾寰勶紝淇敼deploy.sh鏂囦欢锛�
```yaml
-v $path/crypto-config:/crypto-config \
```
灏哷$path/crypto-config`鐩綍鏇挎崲
2. csr: 闇€瑕佹敞閲婃帀锛屼笉鍐嶉厤缃€傦紙鐢变簬root CA鏄厤缃惎鍔紝涓嶉渶瑕佽閮ㄥ垎淇℃伅鍘荤敓鎴愶級
2. intermediate_config锛氶渶瑕佹敞閲婃帀锛屼笉鍐嶉厤缃€�
+ 宸茬粡鍚姩鐨凜A鏈嶅姟
璇︽儏鍚姩娴佺▼瑙佷笂鏂嘯瀹夎閮ㄧ讲](#deploy)
#### 鐢熸垚璇佷功
璋冪敤涓婃枃涓璠鐢宠璇佷功](#apply_cert)鐨勬帴鍙�
**鍙傛暟濉啓锛堜互BodyJSON涓轰緥锛�**
鍏辫瘑鑺傜偣锛坈onsensus node锛塖ign璇佷功
**娉細鐢熸垚鍏辫瘑鑺傜偣璇佷功鏃讹紝userId闇€瑕佷繚璇侀摼涓婂敮涓€锛涘悓涓€鑺傜偣鐨凷ign鍜孴ls璇佷功锛寀serId闇€瑕佷繚鎸佷竴鑷淬€�**
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鍏辫瘑鑺傜偣锛坈onsensus node锛塗ls璇佷功
**娉細鐢熸垚鍏辫瘑鑺傜偣璇佷功鏃讹紝userId闇€瑕佷繚璇侀摼涓婂敮涓€锛涘悓涓€鑺傜偣鐨凷ign鍜孴ls璇佷功锛寀serId闇€瑕佷繚鎸佷竴鑷淬€�**
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鍚屾鑺傜偣锛坈ommon node锛塖ign璇佷功
**娉細鐢熸垚鍚屾鑺傜偣璇佷功鏃讹紝userId闇€瑕佷繚璇侀摼涓婂敮涓€锛涘悓涓€鑺傜偣鐨凷ign鍜孴ls璇佷功锛寀serId闇€瑕佷繚鎸佷竴鑷淬€�**
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鍚屾鑺傜偣锛坈ommon node锛塗ls璇佷功
**娉細鐢熸垚鍚屾鑺傜偣璇佷功鏃讹紝userId闇€瑕佷繚璇侀摼涓婂敮涓€锛涘悓涓€鑺傜偣鐨凷ign鍜孴ls璇佷功锛寀serId闇€瑕佷繚鎸佷竴鑷淬€�**
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鐢ㄦ埛绠$悊鍛橈紙admin锛塖ign璇佷功
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "admin1",
"userType": "admin",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鐢ㄦ埛绠$悊鍛橈紙admin锛塗ls璇佷功
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "admin1",
"userType": "admin",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鐢ㄦ埛瀹㈡埛绔紙client锛塖ign璇佷功
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "client1",
"userType": "client",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鐢ㄦ埛瀹㈡埛绔紙client锛塗ls璇佷功
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "client1",
"userType": "client",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
**娉細浣跨敤CA棰佸彂鐨勮妭鐐瑰拰鐢ㄦ埛璇佷功鏃讹紝闇€瑕佸皢sdk閰嶇疆鏂囦欢涓殑`tls_host_name`锛屾敼鎴愯妭鐐箃ls璇佷功鐨剈serId**
浠ョ粍缁�1鐨勫叡璇嗚妭鐐逛负渚嬶細
```yaml
nodes:
- # 鑺傜偣鍦板潃锛屾牸寮忎负锛欼P:绔彛:杩炴帴鏁�
node_addr: "127.0.0.1:12301"
# 鑺傜偣杩炴帴鏁�
conn_cnt: 10
# RPC杩炴帴鏄惁鍚敤鍙屽悜TLS璁よ瘉
enable_tls: true
# 淇′换璇佷功姹犺矾寰�
trust_root_paths:
- "./testdata/crypto-config/wx-org1.chainmaker.org/ca"
# TLS hostname
# tls_host_name: "chainmaker.org"
#########################################
tls_host_name: "org1.consensus1.com"
#########################################
```
#### 鑾峰彇鑺傜偣TLS璇佷功鐨凬odeId
璋冪敤涓婃枃涓璠鑾峰彇鑺傜偣TLS璇佷功鐨凬odeID](#get_nodeId)鐨勬帴鍙�
**鍙傛暟濉啓锛堜互BodyJSON涓轰緥锛�**
鑾峰彇鍏辫瘑鑺傜偣锛坈onsensus node锛塗ls璇佷功鐨凬odeId
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "tls"
}
```
鑾峰彇鍏辫瘑鑺傜偣锛坈ommon node锛塗ls璇佷功鐨凬odeId
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "tls"
}
```
灏哷bc1.yml`鍜宍chainmaker.yml`涓殑nodeId鏇挎崲锛岄厤缃枃浠朵慨鏀逛綅缃涓嬶細
- bc1.yml
```yaml
#鍏辫瘑閰嶇疆
consensus:
# 鍏辫瘑绫诲瀷(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
type: 1
# 鍏辫瘑鑺傜偣鍒楄〃锛岀粍缁囧繀椤诲嚭鐜板湪trust_roots鐨刼rg_id涓紝姣忎釜缁勭粐鍙厤缃涓叡璇嗚妭鐐癸紝鑺傜偣鍦板潃閲囩敤libp2p鏍煎紡
nodes:
- org_id: "wx-org1.chainmaker.org"
node_id:
- "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- org_id: "wx-org2.chainmaker.org"
node_id:
- "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
- org_id: "wx-org3.chainmaker.org"
node_id:
- "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
- org_id: "wx-org4.chainmaker.org"
node_id:
- "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
```
- chainmaker.yml
```yaml
# Network Settings
net:
# Network provider, can be libp2p or liquid.
# libp2p: using libp2p components to build the p2p module.
# liquid: a new p2p module we build from 0 to 1.
# This item must be consistent across the blockchain network.
provider: LibP2P
# The address and port the node listens on.
# By default, it uses 0.0.0.0 to listen on all network interfaces.
listen_addr: /ip4/0.0.0.0/tcp/11301
# Max stream of a connection.
# peer_stream_pool_size: 100
# Max number of peers the node can connect.
# max_peer_count_allow: 20
# The strategy for eliminating node when the count of connecting peers reach the max value.
# It could be: 1 Random, 2 FIFO, 3 LIFO. The default strategy is LIFO.
# peer_elimination_strategy: 3
# The seeds peer list used to join in the network when starting.
# The connection supervisor will try to dial seed peer whenever the connection is broken.
# Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
# Example dns format锛�"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
seeds:
- "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- "/ip4/127.0.0.1/tcp/11302/p2p/QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
- "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
- "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
```
### 妗堜緥浜岋細浣跨敤CA鐢熸垚鍏ㄥ鐨凜hainMaker璇佷功
#### 鐜鍑嗗
+ 宸茬粡鎴愬姛鍚姩鐨勯暱瀹夐摼
璇︽儏鍚姩娴佺▼瑙乕蹇€熷叆闂╙(../recovery/閫氳繃鍛戒护琛屽伐鍏峰惎鍔ㄩ摼)
+ CA鏈嶅姟鐨勯厤缃枃浠讹紙绀轰緥锛�
```yaml
# log config
log_config:
level: info # The log level
filename: ../log/ca.log # The path to the log file
max_size: 1 # The maximum size of the log file before cutting (MB)
max_age: 30 # The maximum number of days to retain old log files
max_backups: 5 # Maximum number of old log files to keep
# db config
db_config:
user: root
password: 123456
ip: 127.0.0.1
port: 13306
dbname: chainmaker_ca
# Base config
base_config:
server_port: 8090 # Server port configuration
ca_type: single_root # Ca server type : double_root/single_root/tls/sign
# expire_year: 2 # The expiration time of the certificate (year)
expire_month: 6 # The expiration time of the certificate (month)(high level)
# cert_valid_time : 2m # cert valid time (for testing use only)
hash_type: SHA256 # SHA256/SHA3_256/SM3
key_type: ECC_NISTP256 # ECC_NISTP256/SM2
can_issue_ca: false # Whether can continue to issue CA cert
# provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org]
# A list of organizations that provide services
key_encrypt: false # Whether the key is stored in encryption
access_control: false # Whether to enable permission control
# default_domain: chainmaker.org # the default value for sans in the certificate
pkcs11_config:
enabled: false
library: /usr/local/lib64/pkcs11/libupkcs11.so
label: HSM
password: 11111111
session_cache_size: 10
hash: "SHA256"
# Root CA config
root_config:
cert:
- cert_type: sign # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
cert_path: ../crypto-config/rootCA/root.crt # Certificate file path
private_key_path: ../crypto-config/rootCA/root.key # private key file path
key_id: SM2SignKey261 # pkcs11 key id
csr:
CN: root
O: org-root
OU: root
country: CN
locality: Beijing
province: Beijing
# intermediate config
intermediate_config:
- csr:
CN: ca-wx-org1.chainmaker.org
O: wx-org1.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey6
- csr:
CN: ca-wx-org2.chainmaker.org
O: wx-org2.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey249
- csr:
CN: ca-wx-org3.chainmaker.org
O: wx-org3.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey257
- csr:
CN: ca-wx-org4.chainmaker.org
O: wx-org4.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey260
# access control config
access_control_config:
- app_role: admin
app_id: admin1
app_key: passw0rd
- app_role: user
app_id: user1
app_key: passw0rd
```
- 宸茬粡鍚姩鐨凜A鏈嶅姟
璇︽儏鍚姩娴佺▼瑙佷笂鏂嘯瀹夎閮ㄧ讲](#deploy)
#### 鑾峰彇CA璇佷功
鐢变簬浠ヤ笅閰嶇疆閮ㄥ垎锛孋A鏈嶅姟鍦ㄥ惎鍔ㄦ椂锛屽氨浼氱敓鎴愮浉搴旂殑缁勭粐CA璇佷功
```shell
intermediate_config:
- csr:
CN: ca-wx-org1.chainmaker.org
O: wx-org1.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey6
- csr:
CN: ca-wx-org2.chainmaker.org
O: wx-org2.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey249
- csr:
CN: ca-wx-org3.chainmaker.org
O: wx-org3.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey257
- csr:
CN: ca-wx-org4.chainmaker.org
O: wx-org4.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey260
```
CA鏈嶅姟鍚姩鍚庯紝鐩存帴璋冪敤[澶氭潯浠舵煡璇㈣瘉涔(#query_cert)锛岃幏鍙朇A璇佷功
**鍙傛暟濉啓锛堜互BodyJSON涓轰緥锛�**
鑾峰彇org1鐨凜A璇佷功锛�
```json
{
"orgId": "wx-org1.chainmaker.org",
"userType": "ca",
"certUsage": "sign"
}
```
鑾峰彇org2鐨凜A璇佷功锛�
```json
{
"orgId": "wx-org2.chainmaker.org",
"userType": "ca",
"certUsage": "sign"
}
```
鑾峰彇org3鐨凜A璇佷功锛�
```json
{
"orgId": "wx-org3.chainmaker.org",
"userType": "ca",
"certUsage": "sign"
}
```
鑾峰彇org4鐨凜A璇佷功锛�
```json
{
"orgId": "wx-org4.chainmaker.org",
"userType": "ca",
"certUsage": "sign"
}
```
**娉細鑾峰彇鐨凜A璇佷功锛岄渶瑕佸湪鍚姩閾炬椂锛屽皢浠栦滑閰嶇疆鍒伴摼閰嶇疆鏂囦欢`bc1.yml`鐨刞trust_roots`閲�**
#### 鐢熸垚璇佷功
璋冪敤涓婃枃涓璠鐢宠璇佷功](#apply_cert)鐨勬帴鍙serId
**鍙傛暟濉啓锛堜互org1涓轰緥锛�**
鍏辫瘑鑺傜偣锛坈onsensus node锛塖ign璇佷功
**娉細鐢熸垚鍏辫瘑鑺傜偣璇佷功鏃讹紝userId闇€瑕佷繚璇侀摼涓婂敮涓€锛涘悓涓€鑺傜偣鐨凷ign鍜孴ls璇佷功锛寀serId闇€瑕佷繚鎸佷竴鑷淬€�**
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鍏辫瘑鑺傜偣锛坈onsensus node锛塗ls璇佷功
**娉細鐢熸垚鍏辫瘑鑺傜偣璇佷功鏃讹紝userId闇€瑕佷繚璇侀摼涓婂敮涓€锛涘悓涓€鑺傜偣鐨凷ign鍜孴ls璇佷功锛寀serId闇€瑕佷繚鎸佷竴鑷淬€�**
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鍚屾鑺傜偣锛坈ommon node锛塖ign璇佷功
**娉細鐢熸垚鍚屾鑺傜偣璇佷功鏃讹紝userId闇€瑕佷繚璇侀摼涓婂敮涓€锛涘悓涓€鑺傜偣鐨凷ign鍜孴ls璇佷功锛寀serId闇€瑕佷繚鎸佷竴鑷淬€�**
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鍚屾鑺傜偣锛坈ommon node锛塗ls璇佷功
**娉細鐢熸垚鍚屾鑺傜偣璇佷功鏃讹紝userId闇€瑕佷繚璇侀摼涓婂敮涓€锛涘悓涓€鑺傜偣鐨凷ign鍜孴ls璇佷功锛寀serId闇€瑕佷繚鎸佷竴鑷淬€�**
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鐢ㄦ埛绠$悊鍛橈紙admin锛塖ign璇佷功
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "admin1",
"userType": "admin",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鐢ㄦ埛绠$悊鍛橈紙admin锛塗ls璇佷功
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "admin1",
"userType": "admin",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鐢ㄦ埛瀹㈡埛绔紙client锛塖ign璇佷功
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "client1",
"userType": "client",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
鐢ㄦ埛瀹㈡埛绔紙client锛塗ls璇佷功
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "client1",
"userType": "client",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
```
**娉細浣跨敤CA棰佸彂鐨勮妭鐐瑰拰鐢ㄦ埛璇佷功鏃讹紝闇€瑕佸皢sdk閰嶇疆鏂囦欢涓殑`tls_host_name`锛屾敼鎴愯妭鐐箃ls璇佷功鐨剈serId**
浠ョ粍缁�1鐨勫叡璇嗚妭鐐逛负渚嬶細
```yaml
nodes:
- # 鑺傜偣鍦板潃锛屾牸寮忎负锛欼P:绔彛:杩炴帴鏁�
node_addr: "127.0.0.1:12301"
# 鑺傜偣杩炴帴鏁�
conn_cnt: 10
# RPC杩炴帴鏄惁鍚敤鍙屽悜TLS璁よ瘉
enable_tls: true
# 淇′换璇佷功姹犺矾寰�
trust_root_paths:
- "./testdata/crypto-config/wx-org1.chainmaker.org/ca"
# TLS hostname
# tls_host_name: "chainmaker.org"
#########################################
tls_host_name: "org1.consensus1.com"
#########################################
```
#### 鑾峰彇鑺傜偣TLS璇佷功鐨凬odeId
璋冪敤涓婃枃涓璠鑾峰彇鑺傜偣TLS璇佷功鐨凬odeID](#get_nodeId)鐨勬帴鍙�
**鍙傛暟濉啓锛堜互BodyJSON涓轰緥锛�**
鑾峰彇鍏辫瘑鑺傜偣锛坈onsensus node锛塗ls璇佷功鐨凬odeId
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "tls"
}
```
鑾峰彇鍚屾鑺傜偣锛坈ommon node锛塗ls璇佷功鐨凬odeId
```json
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "tls"
}
```
灏哷bc1.yml`鍜宍chainmaker.yml`涓殑nodeId鏇挎崲锛岄厤缃枃浠朵慨鏀逛綅缃涓嬶細
- bc1.yml
```yaml
#鍏辫瘑閰嶇疆
consensus:
# 鍏辫瘑绫诲瀷(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
type: 1
# 鍏辫瘑鑺傜偣鍒楄〃锛岀粍缁囧繀椤诲嚭鐜板湪trust_roots鐨刼rg_id涓紝姣忎釜缁勭粐鍙厤缃涓叡璇嗚妭鐐癸紝鑺傜偣鍦板潃閲囩敤libp2p鏍煎紡
nodes:
- org_id: "wx-org1.chainmaker.org"
node_id:
- "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- org_id: "wx-org2.chainmaker.org"
node_id:
- "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
- org_id: "wx-org3.chainmaker.org"
node_id:
- "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
- org_id: "wx-org4.chainmaker.org"
node_id:
- "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
```
- chainmaker.yml
```yaml
# Network Settings
net:
# Network provider, can be libp2p or liquid.
# libp2p: using libp2p components to build the p2p module.
# liquid: a new p2p module we build from 0 to 1.
# This item must be consistent across the blockchain network.
provider: LibP2P
# The address and port the node listens on.
# By default, it uses 0.0.0.0 to listen on all network interfaces.
listen_addr: /ip4/0.0.0.0/tcp/11301
# Max stream of a connection.
# peer_stream_pool_size: 100
# Max number of peers the node can connect.
# max_peer_count_allow: 20
# The strategy for eliminating node when the count of connecting peers reach the max value.
# It could be: 1 Random, 2 FIFO, 3 LIFO. The default strategy is LIFO.
# peer_elimination_strategy: 3
# The seeds peer list used to join in the network when starting.
# The connection supervisor will try to dial seed peer whenever the connection is broken.
# Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
# Example dns format锛�"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
seeds:
- "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- "/ip4/127.0.0.1/tcp/11302/p2p/QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
- "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
- "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
```
**閲嶅浠ヤ笂姝ラ锛屼緷娆$敓鎴恛rg2锛宱rg3锛宱rg4鐨勫叏閮ㄨ瘉涔﹀嵆鍙湪閾句笂浣跨敤銆�**
<span id="鍏煎澶栭儴璇佷功"></span>
## 澶栭儴璇佷功鍏煎閰嶇疆鎵嬪唽
### 璇佷功鍑嗗
* **澶栭儴璇佷功**
濡傛灉闇€瑕佷娇鐢ㄧ涓夋柟澶栭儴璇佷功锛屽嵆涓嶆槸闀垮畨閾綜A锛坈hainmaker-ca锛夊拰闀垮畨閾捐瘉涔︾敓鎴愬伐鍏凤紙chainmaker-cryptogen锛夌敓鎴愮殑X.509鏍囧噯鐨勬暟瀛楄瘉涔︼紝渚嬪锛岀敱BJCA绛惧彂鐨勮瘉涔︼紝闇€瑕佸噯澶囧ソ绗笁鏂瑰閮ㄨ瘉涔︺€�
* **鍐呴儴璇佷功**
闇€瑕佸噯澶囩敱闀垮畨閾綜A鎴栬€呴暱瀹夐摼璇佷功鐢熸垚宸ュ叿鐢熸垚鐨勮妭鐐筎LS閫氳璇佷功銆�
浣跨敤闀垮畨閾綜A鍙傝€冿細[CA璇佷功鏈嶅姟浣跨敤鎵嬪唽](../tech/CA璇佷功鏈嶅姟.md)
浣跨敤闀垮畨閾捐瘉涔︾敓鎴愬伐鍏峰弬鑰冿細[璇佷功鐢熸垚宸ュ叿](../instructions/璇佷功鐢熸垚宸ュ叿.md)
### 閰嶇疆鏂规硶
涓昏鏀寔涓ょ閰嶇疆鏂瑰紡
1. 閫氳繃閾鹃厤缃枃浠跺啓鍏enesis block銆�
2. 閫氳繃鍙戦€侀厤缃洿鏂颁氦鏄擄紝鏇存柊鍒伴摼涓娿€�
* 閾鹃厤缃枃浠舵柟寮�
璇ユ柟寮忛渶瑕佷袱姝ワ紝棣栧厛鏇存敼閾鹃厤缃枃浠讹紝鍏舵鏇存柊鑺傜偣鎴栫敤鎴风殑璇佷功閰嶇疆銆�
- 鍦╞c.yml閾鹃厤缃枃浠朵腑娣诲姞涓嬮潰閰嶇疆
```yaml
trust_members:
- member_info: "../BJCA/consensus.sign.crt"
org_id: "wx-org1.chainmaker.org"
role: "consensus"
node_id: "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- member_info: "../BJCA/admin.sign.crt"
org_id: "wx-org1.chainmaker.org"
role: "admin"
node_id: ""
```
1. **member_info**
澶栭儴璇佷功鏂囦欢鐨勮矾寰�
2. **org_id**
澶栭儴璇佷功鍦ㄩ摼涓婄殑缁勭粐ID
3. **role**
澶栭儴璇佷功鍦ㄩ摼涓婄殑瑙掕壊銆傚彲濉細admin/client/consensus
4. **node_id**
褰撲娇鐢ㄧ殑澶栭儴璇佷功涓篶onsensus瑙掕壊鐨勭鍚嶈瘉涔︽椂锛岄渶瑕佸皢鍏辫瘑閰嶇疆涓殑node_id锛堝嵆璇ヨ妭鐐筎LS璇佷功鐨刵ode_id锛夊~鍐欏埌姝ゅ銆傦紙鍏跺畠鎯呭喌鍙拷鐣ヨ閰嶇疆椤癸級
鍏辫瘑閰嶇疆濡備笅锛�
```yaml
#鍏辫瘑閰嶇疆
consensus:
# 鍏辫瘑绫诲瀷(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,10-POW)
type: 1
# 鍏辫瘑鑺傜偣鍒楄〃锛岀粍缁囧繀椤诲嚭鐜板湪trust_roots鐨刼rg_id涓紝姣忎釜缁勭粐鍙厤缃涓叡璇嗚妭鐐癸紝鑺傜偣鍦板潃閲囩敤libp2p鏍煎紡
nodes:
- org_id: "wx-org1.chainmaker.org"
node_id:
- "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- org_id: "wx-org2.chainmaker.org"
node_id:
- "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
```
- 鑺傜偣璇佷功鏇挎崲涓哄閮ㄨ瘉涔︾殑鏂规硶
鎵撳紑鑺傜偣閰嶇疆鏂囦欢chainmaker.yml鐨刵ode閮ㄥ垎
```yaml
node:
# 鑺傜偣绫诲瀷锛歠ull
type: full
org_id: {org_id}
priv_key_file: ../config/{org_path}/certs/{node_cert_path}.key
cert_file: ../config/{org_path}/certs/{node_cert_path}.crt
signer_cache_size: 1000
cert_cache_size: 1000
pkcs11:
enabled: false
library: # path to the so file of pkcs11 interface
label: # label for the slot to be used
password: # password to logon the HSM
session_cache_size: 10 # size of HSM session cache, default to 10
hash: "SHA256" # hash algorithm used to compute SKI
```
1. priv_key_file 鏇挎崲鎴愬閮ㄨ瘉涔︾殑绉侀挜鏂囦欢璺緞
2. cert_file 鏇挎崲鎴愬閮ㄨ瘉涔︾殑璇佷功鏂囦欢璺緞
* 鍙戦€侀厤缃洿鏂颁氦鏄撴柟寮�
渚嬪锛屼娇鐢╟mc鍛戒护琛屽伐鍏锋搷浣�
- 澧炲姞澶栭儴淇′换鎴愬憳淇℃伅
```sh
./cmc client chainconfig trustmember add \
--sdk-conf-path=./testdata/sdk_config.yml \
--org-id=wx-org1.chainmaker.org \
--admin-crt-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.crt \
--admin-key-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.key \
--trust-member-org-id=wx-org2.chainmaker.org \
--trust-member-path=./testdata/trust-member-demo/node1-sign.pem \
--trust-member-role=consensus \
--trust-member-node-id=QmYcfSHGiXjHKkHo65YfxWLT6G7B81Zct7F7ep8GWFtuUK
```
**鍙傛暟璇存槑**
1. trust-member-org-id 澶栭儴璇佷功鍦ㄩ摼涓婄殑缁勭粐ID
2. trust-member-path 澶栭儴璇佷功鏂囦欢鐨勮矾寰�
3. trust-member-role 澶栭儴璇佷功鍦ㄩ摼涓婄殑瑙掕壊
4. trust-member-node-id 褰撲娇鐢ㄧ殑澶栭儴璇佷功涓篶onsensus瑙掕壊鐨勭鍚嶈瘉涔︽椂锛岄渶瑕佸皢鍏辫瘑閰嶇疆涓殑node_id閰嶇疆鍒拌浣嶇疆銆�
- 鍒犻櫎澶栭儴淇′换鎴愬憳淇℃伅
```sh
./cmc client chainconfig trustmember remove \
--sdk-conf-path=./testdata/sdk_config.yml \
--org-id=wx-org1.chainmaker.org \
--admin-crt-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.crt \
--admin-key-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.key \
--trust-member-path=./testdata/trust-member-demo/node1-sign.pem \
```
**鍙傛暟璇存槑**
1. trust-member-path 澶栭儴璇佷功鏂囦欢鐨勮矾寰�
### 绀轰緥
鏈ず渚嬪熀浜庨摼鐜鎼缓鐨刐閫氳繃鍛戒护琛屽伐鍏峰惎鍔ㄩ摼](../recovery/閫氳繃鍛戒护琛屽伐鍏峰惎鍔ㄩ摼.md)閮ㄥ垎锛屾潵閰嶇疆node1鐨勭鍚嶈瘉涔︿负绗笁鏂瑰閮ㄨ瘉涔︺€�
* 閰嶇疆鍑嗗
棣栧厛杩涘叆chainmaker-go鐩綍
灏嗗閮ㄨ瘉涔︾洰褰晅rust-member鏀惧埌node1鑺傜偣璇佷功鐩綍涓�
```sh
$ cd build/config/node1/certs
$ tree
```
```sh
鈹溾攢鈹€ ca
鈹偮犅� 鈹溾攢鈹€ wx-org1.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹溾攢鈹€ wx-org2.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹溾攢鈹€ wx-org3.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹斺攢鈹€ wx-org4.chainmaker.org
鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹溾攢鈹€ node
鈹偮犅� 鈹溾攢鈹€ common1
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.nodeid
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.tls.crt
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ common1.tls.key
鈹偮犅� 鈹斺攢鈹€ consensus1
鈹偮犅� 鈹溾攢鈹€ consensus1.nodeid
鈹偮犅� 鈹溾攢鈹€ consensus1.sign.crt
鈹偮犅� 鈹溾攢鈹€ consensus1.sign.key
鈹偮犅� 鈹溾攢鈹€ consensus1.tls.crt
鈹偮犅� 鈹斺攢鈹€ consensus1.tls.key
鈹溾攢鈹€ trust-member
鈹偮犅� 鈹溾攢鈹€ trust-member.node1-sign.key
鈹偮犅� 鈹斺攢鈹€ trust-member.node1-sign.pem
鈹斺攢鈹€ user
鈹溾攢鈹€ admin1
鈹偮犅� 鈹溾攢鈹€ admin1.sign.crt
鈹偮犅� 鈹溾攢鈹€ admin1.sign.key
鈹偮犅� 鈹溾攢鈹€ admin1.tls.crt
鈹偮犅� 鈹斺攢鈹€ admin1.tls.key
鈹斺攢鈹€ client1
鈹溾攢鈹€ client1.addr
鈹溾攢鈹€ client1.sign.crt
鈹溾攢鈹€ client1.sign.key
鈹溾攢鈹€ client1.tls.crt
鈹斺攢鈹€ client1.tls.key
```
鐒跺悗鍏跺畠鑺傜偣闇€瑕佸皢绗笁鏂硅瘉涔︽斁鍏ヨ瘉涔︾洰褰曘€�
```sh
$ cd build/config
$ tree
```
```sh
鈹溾攢鈹€ node1
鈹偮犅� 鈹溾攢鈹€ certs
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ ca
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org1.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org2.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org3.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ wx-org4.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ node
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.nodeid
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ common1.tls.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ consensus1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.nodeid
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ consensus1.tls.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ trust-member
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ trust-member.node1-sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ trust-member.node1-sign.pem
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ user
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ admin1.tls.key
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ client1
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.addr
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.sign.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.sign.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.tls.crt
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ client1.tls.key
鈹偮犅� 鈹溾攢鈹€ chainconfig
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ bc1.yml
鈹偮犅� 鈹溾攢鈹€ chainmaker.yml
鈹偮犅� 鈹斺攢鈹€ log.yml
鈹溾攢鈹€ node2
鈹偮犅� 鈹溾攢鈹€ certs
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ ca
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org1.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org2.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org3.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ wx-org4.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ node
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.nodeid
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ common1.tls.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ consensus1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.nodeid
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ consensus1.tls.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ trust-member
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ trust-member.node1-sign.pem
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ user
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ admin1.tls.key
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ client1
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.addr
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.sign.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.sign.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.tls.crt
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ client1.tls.key
鈹偮犅� 鈹溾攢鈹€ chainconfig
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ bc1.yml
鈹偮犅� 鈹溾攢鈹€ chainmaker.yml
鈹偮犅� 鈹斺攢鈹€ log.yml
鈹溾攢鈹€ node3
鈹偮犅� 鈹溾攢鈹€ certs
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ ca
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org1.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org2.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org3.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ wx-org4.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ node
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.nodeid
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ common1.tls.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ consensus1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.nodeid
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ consensus1.tls.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ trust-member
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ trust-member.node1-sign.pem
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ user
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ admin1.tls.key
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ client1
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.addr
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.sign.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.sign.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ client1.tls.crt
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ client1.tls.key
鈹偮犅� 鈹溾攢鈹€ chainconfig
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ bc1.yml
鈹偮犅� 鈹溾攢鈹€ chainmaker.yml
鈹偮犅� 鈹斺攢鈹€ log.yml
鈹斺攢鈹€ node4
鈹溾攢鈹€ certs
鈹偮犅� 鈹溾攢鈹€ ca
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org1.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org2.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ wx-org3.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ wx-org4.chainmaker.org
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ ca.crt
鈹偮犅� 鈹溾攢鈹€ node
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.nodeid
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.sign.key
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ common1.tls.crt
鈹偮犅� 鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ common1.tls.key
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ consensus1
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.nodeid
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.sign.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.sign.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ consensus1.tls.crt
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ consensus1.tls.key
鈹偮犅� 鈹溾攢鈹€ trust-member
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ trust-member.node1-sign.pem
鈹偮犅� 鈹斺攢鈹€ user
鈹偮犅� 鈹溾攢鈹€ admin1
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.sign.crt
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.sign.key
鈹偮犅� 鈹偮犅� 鈹溾攢鈹€ admin1.tls.crt
鈹偮犅� 鈹偮犅� 鈹斺攢鈹€ admin1.tls.key
鈹偮犅� 鈹斺攢鈹€ client1
鈹偮犅� 鈹溾攢鈹€ client1.addr
鈹偮犅� 鈹溾攢鈹€ client1.sign.crt
鈹偮犅� 鈹溾攢鈹€ client1.sign.key
鈹偮犅� 鈹溾攢鈹€ client1.tls.crt
鈹偮犅� 鈹斺攢鈹€ client1.tls.key
鈹溾攢鈹€ chainconfig
鈹偮犅� 鈹斺攢鈹€ bc1.yml
鈹溾攢鈹€ chainmaker.yml
鈹斺攢鈹€ log.yml
```
node1閾鹃厤缃産c1.yml
```yaml
chain_id: chain1 # 閾炬爣璇�
version: v2.0.0 # 閾剧増鏈�
sequence: 1 # 閰嶇疆鐗堟湰
auth_type: "identity" # 璁よ瘉绫诲瀷
crypto:
hash: SHA256
# 鍚堢害鏀寔绫诲瀷鐨勯厤缃�
contract:
enable_sql_support: false # 鍚堢害鏄惁鏀寔sql锛屾澶勮嫢涓簍rue锛屽垯chainmaker.yml涓垯闇€閰嶇疆storage.statedb_config.provider=sql锛屽惁鍒欐棤娉曞惎鍔�
# 浜ゆ槗銆佸尯鍧楃浉鍏抽厤缃�
block:
tx_timestamp_verify: true # 鏄惁闇€瑕佸紑鍚氦鏄撴椂闂存埑鏍¢獙
tx_timeout: 600 # 浜ゆ槗鏃堕棿鎴崇殑杩囨湡鏃堕棿(绉�)
block_tx_capacity: 100 # 鍖哄潡涓渶澶т氦鏄撴暟
block_size: 10 # 鍖哄潡鏈€澶ч檺鍒讹紝鍗曚綅MB
block_interval: 2000 # 鍑哄潡闂撮殧锛屽崟浣�:ms
# core妯″潡
core:
tx_scheduler_timeout: 10 # [0, 60] 浜ゆ槗璋冨害鍣ㄤ粠浜ゆ槗姹犳嬁鍒颁氦鏄撳悗, 杩涜璋冨害鐨勬椂闂�
tx_scheduler_validate_timeout: 10 # [0, 60] 浜ゆ槗璋冨害鍣ㄤ粠鍖哄潡涓嬁鍒颁氦鏄撳悗, 杩涜楠岃瘉鐨勮秴鏃舵椂闂�
# snapshot module
snapshot:
enable_evidence: false # enable the evidence support
# scheduler module
scheduler:
enable_evidence: false # enable the evidence support
#鍏辫瘑閰嶇疆
consensus:
# 鍏辫瘑绫诲瀷(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,5-DPOS,10-POW)
type: 1
# 鍏辫瘑鑺傜偣鍒楄〃锛岀粍缁囧繀椤诲嚭鐜板湪trust_roots鐨刼rg_id涓紝姣忎釜缁勭粐鍙厤缃涓叡璇嗚妭鐐癸紝鑺傜偣鍦板潃閲囩敤libp2p鏍煎紡
# 鍏朵腑node_id涓篶hainmaker.yml涓� node.cert_file璇佷功瀵瑰簲鐨刵odeid
nodes:
- org_id: "wx-org1.chainmaker.org"
node_id:
- "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
- org_id: "wx-org2.chainmaker.org"
node_id:
- "QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS"
- org_id: "wx-org3.chainmaker.org"
node_id:
- "QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW"
- org_id: "wx-org4.chainmaker.org"
node_id:
- "QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ"
ext_config: # 鎵╁睍瀛楁锛岃褰曢毦搴︺€佸鍔辩瓑鍏朵粬绫诲叡璇嗙畻娉曢厤缃�
- key: aa
value: chain01_ext11
dpos_config: # DPoS
#ERC20鍚堢害閰嶇疆
- key: erc20.total
value: "{erc20_total}"
- key: erc20.owner
value: "{org1_peeraddr}"
- key: erc20.decimals
value: "18"
- key: erc20.account:DPOS_STAKE
value: "{erc20_total}"
#Stake鍚堢害閰嶇疆
- key: stake.minSelfDelegation
value: "2500000"
- key: stake.epochValidatorNum
value: "{epochValidatorNum}"
- key: stake.epochBlockNum
value: "10"
- key: stake.completionUnbondingEpochNum
value: "1"
- key: stake.candidate:{org1_peeraddr}
value: "2500000"
- key: stake.candidate:{org2_peeraddr}
value: "2500000"
- key: stake.candidate:{org3_peeraddr}
value: "2500000"
- key: stake.candidate:{org4_peeraddr}
value: "2500000"
- key: stake.nodeID:{org1_peeraddr}
value: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
- key: stake.nodeID:{org2_peeraddr}
value: "QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS"
- key: stake.nodeID:{org3_peeraddr}
value: "QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW"
- key: stake.nodeID:{org4_peeraddr}
value: "QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ"
# 淇′换缁勭粐鍜屾牴璇佷功
trust_roots:
- org_id: "wx-org1.chainmaker.org"
root:
- "../config/wx-org1.chainmaker.org/certs/ca/wx-org1.chainmaker.org/ca.crt"
- org_id: "wx-org2.chainmaker.org"
root:
- "../config/wx-org1.chainmaker.org/certs/ca/wx-org2.chainmaker.org/ca.crt"
- org_id: "wx-org3.chainmaker.org"
root:
- "../config/wx-org1.chainmaker.org/certs/ca/wx-org3.chainmaker.org/ca.crt"
- org_id: "wx-org4.chainmaker.org"
root:
- "../config/wx-org1.chainmaker.org/certs/ca/wx-org4.chainmaker.org/ca.crt"
# 璇佷功搴�
trust_members:
- member_info: "../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem"
org_id: "wx-org1.chainmaker.org"
role: "consensus"
node_id: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
# 鏉冮檺閰嶇疆锛堝彧鑳芥暣浣撴坊鍔犮€佷慨鏀广€佸垹闄わ級
resource_policies:
- resource_name: CHAIN_CONFIG-NODE_ID_UPDATE
policy:
rule: SELF # 瑙勫垯锛圓NY锛孧AJORITY...锛屽叏閮ㄥぇ鍐欙紝鑷姩杞ぇ鍐欙級
org_list: # 缁勭粐鍚嶇О锛堢粍缁囧悕绉帮紝鍖哄垎澶у皬鍐欙級
role_list: # 瑙掕壊鍚嶇О锛坮ole锛岃嚜鍔ㄨ浆澶у啓锛�
- admin
- resource_name: CHAIN_CONFIG-TRUST_ROOT_ADD
policy:
rule: MAJORITY
org_list:
role_list:
- admin
- resource_name: CHAIN_CONFIG-CERTS_FREEZE
policy:
rule: ANY
org_list:
role_list:
- admin
```
node2鐨勯摼閰嶇疆bc1.yml 锛堜粎鏄剧ずtrust_member閮ㄥ垎锛屽叾瀹冮儴鍒嗕笉鍙橈級
```yaml
trust_members:
- member_info: "../config/wx-org2.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem"
org_id: "wx-org1.chainmaker.org"
role: "consensus"
node_id: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
```
node3鐨勯摼閰嶇疆bc1.yml 锛堜粎鏄剧ずtrust_member閮ㄥ垎锛屽叾瀹冮儴鍒嗕笉鍙橈級
```yaml
trust_members:
- member_info: "../config/wx-org3.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem"
org_id: "wx-org1.chainmaker.org"
role: "consensus"
node_id: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
```
node4鐨勯摼閰嶇疆bc1.yml 锛堜粎鏄剧ずtrust_member閮ㄥ垎锛屽叾瀹冮儴鍒嗕笉鍙橈級
```yaml
trust_members:
- member_info: "../config/wx-org4.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem"
org_id: "wx-org1.chainmaker.org"
role: "consensus"
node_id: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
```
node1鐨勮妭鐐归厤缃枃浠禼hainmaker.yml
```yaml
log:
config_file: ../config/wx-org1.chainmaker.org/log.yml # config file of logger configuration.
blockchain:
- chainId: chain1
genesis: ../config/wx-org1.chainmaker.org/chainconfig/bc1.yml
node:
# 鑺傜偣绫诲瀷锛歠ull
type: full
org_id: wx-org1.chainmaker.org
# priv_key_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.sign.key
# cert_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.sign.crt
priv_key_file: ../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.key
cert_file: ../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem
signer_cache_size: 1000
cert_cache_size: 1000
pkcs11:
enabled: false
library: # path to the so file of pkcs11 interface
label: # label for the slot to be used
password: # password to logon the HSM
session_cache_size: 10 # size of HSM session cache, default to 10
hash: "SHA256" # hash algorithm used to compute SKI
net:
provider: LibP2P
listen_addr: /ip4/0.0.0.0/tcp/11301
seeds:
- "/ip4/127.0.0.1/tcp/11301/p2p/QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
- "/ip4/127.0.0.1/tcp/11302/p2p/QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS"
- "/ip4/127.0.0.1/tcp/11303/p2p/QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW"
- "/ip4/127.0.0.1/tcp/11304/p2p/QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ"
tls:
enabled: true
priv_key_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.key
cert_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.crt
txpool:
max_txpool_size: 50000 # 鏅€氫氦鏄撴睜涓婇檺
max_config_txpool_size: 10 # config浜ゆ槗姹犵殑涓婇檺
full_notify_again_time: 30 # 浜ゆ槗姹犳孩鍑哄悗锛屽啀娆¢€氱煡鐨勬椂闂撮棿闅�(绉�)
# pool_type: "batch" # single/batch锛歴ingle瀹炴椂杩涘叆浜ゆ槗姹狅紝batch鎵归噺杩涘叆浜ゆ槗姹�
# batch_max_size: 30000 # 鎵规鏈€澶уぇ灏�
# batch_create_timeout: 200 # 鍒涘缓鎵规瓒呮椂鏃堕棿锛屽崟浣嶆绉�
rpc:
provider: grpc
port: 12301
# 妫€鏌ラ摼閰嶇疆TrustRoots璇佷功鍙樺寲鏃堕棿闂撮殧锛屽崟浣嶏細s锛屾渶灏忓€间负10s
check_chain_conf_trust_roots_change_interval: 60
ratelimit:
# 姣忕琛ュ厖浠ょ墝鏁帮紝鍙栧€硷細-1-涓嶅彈闄愶紱0-榛樿鍊硷紙10000锛�
token_per_second: -1
# 浠ょ墝妗跺ぇ灏忥紝鍙栧€硷細-1-涓嶅彈闄愶紱0-榛樿鍊硷紙10000锛�
token_bucket_size: -1
subscriber:
# 鍘嗗彶娑堟伅璁㈤槄娴佹帶锛屽疄鏃舵秷鎭闃呬笉浼氳繘琛屾祦鎺�
ratelimit:
# 姣忕琛ュ厖浠ょ墝鏁帮紝鍙栧€硷細-1-涓嶅彈闄愶紱0-榛樿鍊硷紙1000锛�
token_per_second: 100
# 浠ょ墝妗跺ぇ灏忥紝鍙栧€硷細-1-涓嶅彈闄愶紱0-榛樿鍊硷紙1000锛�
token_bucket_size: 100
tls:
# TLS妯″紡:
# disable - 涓嶅惎鐢═LS
# oneway - 鍗曞悜璁よ瘉
# twoway - 鍙屽悜璁よ瘉
#mode: disable
#mode: oneway
mode: twoway
priv_key_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.key
cert_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.crt
monitor:
enabled: true
port: 14321
pprof:
enabled: false
port: 24321
storage:
store_path: ../data/wx-org1.chainmaker.org/ledgerData1
# 鏈€灏忕殑涓嶅厑璁稿綊妗g殑鍖哄潡楂樺害
unarchive_block_height: 300000
blockdb_config:
provider: leveldb
leveldb_config:
store_path: ../data/wx-org1.chainmaker.org/blocks
statedb_config:
provider: leveldb # leveldb/sql 浜岄€変竴
leveldb_config: # leveldb config
store_path: ../data/wx-org1.chainmaker.org/state
# sqldb_config: # sql config锛屽彧鏈塸rovider涓簊ql鐨勬椂鍊欐墠闇€瑕侀厤缃拰鍚敤杩欎釜閰嶇疆
# sqldb_type: mysql #鍏蜂綋鐨剆ql db绫诲瀷锛岀洰鍓嶆敮鎸乵ysql锛宻qlite
# dsn: root:password@tcp(127.0.0.1:3306)/ #mysql鐨勮繛鎺ヤ俊鎭紝鍖呮嫭鐢ㄦ埛鍚嶃€佸瘑鐮併€乮p銆乸ort绛夛紝绀轰緥锛歳oot:admin@tcp(127.0.0.1:3306)/
historydb_config:
provider: leveldb
leveldb_config:
store_path: ../data/wx-org1.chainmaker.org/history
resultdb_config:
provider: leveldb
leveldb_config:
store_path: ../data/wx-org1.chainmaker.org/result
disable_contract_eventdb: true #鏄惁绂佹鍚堢害浜嬩欢瀛樺偍鍔熻兘锛岄粯璁や负true锛屽鏋滆缃负false,闇€瑕侀厤缃甿ysql
contract_eventdb_config:
provider: sql #濡傛灉寮€鍚痗ontract event db 鍔熻兘锛岄渶瑕佹寚瀹歱rovider涓簊ql
sqldb_config:
sqldb_type: mysql #contract event db 鍙敮鎸乵ysql
dsn: root:password@tcp(127.0.0.1:3306)/ #mysql鐨勮繛鎺ヤ俊鎭紝鍖呮嫭鐢ㄦ埛鍚嶃€佸瘑鐮併€乮p銆乸ort绛夛紝绀轰緥锛歳oot:admin@tcp(127.0.0.1:3306)/
core:
evidence: false
scheduler:
rwset_log: false #whether log the txRWSet map in the debug mode
```
* 閾惧惎鍔�
```sh
$ cd scripts
$ ./build_release.sh
$ ./cluster_quick_start.sh normal
```
鏌ョ湅杩涚▼鏄惁瀛樺湪
```sh
$ ps -ef|grep chainmaker | grep -v grep
lxf 20816 1 8 15:34 pts/0 00:00:01 ./chainmaker start -c ../config/wx-org1.chainmaker.org/chainmaker.yml
lxf 20835 1 8 15:34 pts/0 00:00:00 ./chainmaker start -c ../config/wx-org2.chainmaker.org/chainmaker.yml
lxf 20855 1 9 15:34 pts/0 00:00:00 ./chainmaker start -c ../config/wx-org3.chainmaker.org/chainmaker.yml
lxf 20874 1 10 15:34 pts/0 00:00:00 ./chainmaker start -c ../config/wx-org4.chainmaker.org/chainmaker.yml
```
鏌ョ湅绔彛鏄惁鐩戝惉
```sh
$ netstat -lptn | grep 1230
tcp6 0 0 :::12301 :::* LISTEN 20816/./chainmaker
tcp6 0 0 :::12302 :::* LISTEN 20835/./chainmaker
tcp6 0 0 :::12303 :::* LISTEN 20855/./chainmaker
tcp6 0 0 :::12304 :::* LISTEN 20874/./chainmaker
```