fabric-ca服务搭建

文章目录

fabric-ca服务搭建一、Fabric CA概述二、基础环境搭建三、fabric-ca服务搭建1.ca_orderer2.ca_org13.ca_org2 四、证书生成

一、Fabric CA概述

Fabric Server端由一个服务器集群组成，以树形架构组织CA Server节点，包含一个Root 节点和多个中间节点。每个CA要么是根CA，要么是中间CA。每个中间CA都有一个父CA，它要么是根CA，要么是另一个中间CA。

可以通过Client或SDK与服务器集群中的CA服务器进行交互。客户端首先路由到HA代理，由代理进行负载均衡，将客户端连接至某一服务器的集群成员。

包括前端的一个高可用的代理服务器，连接着若干个CA Server集群，这些集群将数据共同存放在同一个数据服务器上。数据库可能是MySQL、LDAP、PostgresSQL或者SQLite（集群环境中不推荐使用SQLite）。

集群中的所有CA服务器都共享相同的数据库，以跟踪身份和证书。如果配置了LDAP，则将标识信息保存在LDAP中而不是数据库中。

Fabric CA再Fabric网络中主要起到提供安全证书以及通道加密的作用。

二、基础环境搭建

docker环境搭建

防火墙设置

firewall-cmd --zone=public --add-port=7054/tcp --permanent firewall-cmd --reload

三、fabric-ca服务搭建

1.ca_orderer

vim docker-ca-orderer.yaml # Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' networks: ca: services: ca_orderer: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-orderer - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_PORT=7054 - FABRIC_CA_SERVER_CSR_CN=ca-orderer - FABRIC_CA_SERVER_CSR_HOSTS=ca.orderer.example.com ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./fabric-ca/ordererOrg:/etc/hyperledger/fabric-ca-server container_name: ca_orderer networks: - ca

说明：FABRIC_CA_SERVER_CSR_HOSTS后的ca.orderer.example.com需要对应本机ip地址配置到DNS服务器

docker-compose -f docker-ca-orderer.yaml up

目录结构

[root@chain4 fabric-ca]# pwd /opt/gopath/src/github.com/hyperledger/fabric-ca [root@chain4 fabric-ca]# tree ordererOrg/ ordererOrg/ ├── ca-cert.pem ├── fabric-ca-server-config.yaml ├── fabric-ca-server.db ├── IssuerPublicKey ├── IssuerRevocationPublicKey ├── msp │ ├── cacerts │ ├── keystore │ │ ├── 2a908549620d44aee2d800e3b2ffa803cf2748b4825b1ff36f2e140f29c74d16_sk │ │ ├── 9ac46a1d71b16f2e646bd58d3d97cab3da3501af07668c2c44c3974efd355b33_sk │ │ ├── IssuerRevocationPrivateKey │ │ └── IssuerSecretKey │ ├── signcerts │ └── user └── tls-cert.pem 5 directories, 10 files

2.ca_org1

vim docker-ca-org1.yaml # Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' networks: ca: services: ca_org1: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_PORT=7054 - FABRIC_CA_SERVER_CSR_CN=ca-org1 - FABRIC_CA_SERVER_CSR_HOSTS=ca.org1.example.com ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./fabric-ca/org1:/etc/hyperledger/fabric-ca-server container_name: ca_org1 networks: - ca

说明：FABRIC_CA_SERVER_CSR_HOSTS后的ca.org1.example.com需要对应本机ip地址配置到DNS服务器

docker-compose -f docker-ca-org1.yaml up

3.ca_org2

vim docker-ca-org2.yaml # Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' networks: ca: services: ca_org2: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org2 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_PORT=7054 - FABRIC_CA_SERVER_CSR_CN=ca-org2 - FABRIC_CA_SERVER_CSR_HOSTS=ca.org2.example.com ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./fabric-ca/org2:/etc/hyperledger/fabric-ca-server container_name: ca_org2 networks: - ca

说明：FABRIC_CA_SERVER_CSR_HOSTS后的ca.org2.example.com需要对应本机ip地址配置到DNS服务器

docker-compose -f docker-ca-org2.yaml up

四、证书生成

首先需要将上面三个机器启动时生成的文件夹orderOrg、org1、org2放到同一台机器上，因为这些都是证书签发所需要的验证文件。

参照官方案例test-network,根据实际需求定制shell脚本

cd $FABRIC/scripts/fabric-samples/test-network/organizations/fabric-ca cat registerEnroll.sh cd $FABRIC/scripts/fabric-samples/test-network/addOrg3/fabric-ca cat registerEnroll.sh

TODO 参照addOrg3目录下的脚本，编写可动态传参的shell脚本。

cd /opt/gopath/src/github.com/hyperledger/fabric-ca vim register.sh function createOrg1 { echo echo "Enroll the CA admin" echo mkdir -p organizations/peerOrganizations/org1.example.com/ export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/ # rm -rf $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml # rm -rf $FABRIC_CA_CLIENT_HOME/msp set -x fabric-ca-client enroll -u https://admin:adminpw@ca.org1.example.com:7054 --caname ca-org1 --tls.certfiles ${PWD}/org1/tls-cert.pem set +x echo 'NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/ca-org1-example-com-7054-ca-org1.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: Certificate: cacerts/ca-org1-example-com-7054-ca-org1.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: Certificate: cacerts/ca-org1-example-com-7054-ca-org1.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: Certificate: cacerts/ca-org1-example-com-7054-ca-org1.pem OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml echo echo "Register peer0" echo set -x fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --tls.certfiles ${PWD}/org1/tls-cert.pem set +x echo echo "Register user" echo set -x fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --tls.certfiles ${PWD}/org1/tls-cert.pem set +x echo echo "Register the org admin" echo set -x fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --tls.certfiles ${PWD}/org1/tls-cert.pem set +x mkdir -p organizations/peerOrganizations/org1.example.com/peers mkdir -p organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com echo echo "## Generate the peer0 msp" echo set -x fabric-ca-client enroll -u https://peer0:peer0pw@ca.org1.example.com:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts peer0.org1.example.com --tls.certfiles ${PWD}/org1/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/config.yaml echo echo "## Generate the peer0-tls certificates" echo set -x fabric-ca-client enroll -u https://peer0:peer0pw@ca.org1.example.com:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts peer0.org1.example.com --csr.hosts localhost --tls.certfiles ${PWD}/org1/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key mkdir -p ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt mkdir -p ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem mkdir -p ${PWD}/organizations/peerOrganizations/org1.example.com/ca cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem mkdir -p organizations/peerOrganizations/org1.example.com/users mkdir -p organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com echo echo "## Generate the user msp" echo set -x fabric-ca-client enroll -u https://user1:user1pw@ca.org1.example.com:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp --tls.certfiles ${PWD}/org1/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/config.yaml mkdir -p organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com echo echo "## Generate the org admin msp" echo set -x fabric-ca-client enroll -u https://org1admin:org1adminpw@ca.org1.example.com:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --tls.certfiles ${PWD}/org1/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml } function createOrg2 { echo echo "Enroll the CA admin" echo mkdir -p organizations/peerOrganizations/org2.example.com/ export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/ # rm -rf $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml # rm -rf $FABRIC_CA_CLIENT_HOME/msp set -x fabric-ca-client enroll -u https://admin:adminpw@ca.org2.example.com:7054 --caname ca-org2 --tls.certfiles ${PWD}/org2/tls-cert.pem set +x echo 'NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/ca-org2-example-com-7054-ca-org2.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: Certificate: cacerts/ca-org2-example-com-7054-ca-org2.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: Certificate: cacerts/ca-org2-example-com-7054-ca-org2.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: Certificate: cacerts/ca-org2-example-com-7054-ca-org2.pem OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml echo echo "Register peer0" echo set -x fabric-ca-client register --caname ca-org2 --id.name peer0 --id.secret peer0pw --id.type peer --tls.certfiles ${PWD}/org2/tls-cert.pem set +x echo echo "Register user" echo set -x fabric-ca-client register --caname ca-org2 --id.name user1 --id.secret user1pw --id.type client --tls.certfiles ${PWD}/org2/tls-cert.pem set +x echo echo "Register the org admin" echo set -x fabric-ca-client register --caname ca-org2 --id.name org2admin --id.secret org2adminpw --id.type admin --tls.certfiles ${PWD}/org2/tls-cert.pem set +x mkdir -p organizations/peerOrganizations/org2.example.com/peers mkdir -p organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com echo echo "## Generate the peer0 msp" echo set -x fabric-ca-client enroll -u https://peer0:peer0pw@ca.org2.example.com:7054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --csr.hosts peer0.org2.example.com --tls.certfiles ${PWD}/org2/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/config.yaml echo echo "## Generate the peer0-tls certificates" echo set -x fabric-ca-client enroll -u https://peer0:peer0pw@ca.org2.example.com:7054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls --enrollment.profile tls --csr.hosts peer0.org2.example.com --csr.hosts localhost --tls.certfiles ${PWD}/org2/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key mkdir -p ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/ca.crt mkdir -p ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem mkdir -p ${PWD}/organizations/peerOrganizations/org2.example.com/ca cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem mkdir -p organizations/peerOrganizations/org2.example.com/users mkdir -p organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com echo echo "## Generate the user msp" echo set -x fabric-ca-client enroll -u https://user1:user1pw@ca.org2.example.com:7054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp --tls.certfiles ${PWD}/org2/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp/config.yaml mkdir -p organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com echo echo "## Generate the org admin msp" echo set -x fabric-ca-client enroll -u https://org2admin:org2adminpw@ca.org2.example.com:7054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp --tls.certfiles ${PWD}/org2/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml } function createOrderer { echo echo "Enroll the CA admin" echo mkdir -p organizations/ordererOrganizations/example.com export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com # rm -rf $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml # rm -rf $FABRIC_CA_CLIENT_HOME/msp set -x fabric-ca-client enroll -u https://admin:adminpw@ca.orderer.example.com:7054 --caname ca-orderer --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem set +x echo 'NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/ca-orderer-example-com-7054-ca-orderer.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: Certificate: cacerts/ca-orderer-example-com-7054-ca-orderer.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: Certificate: cacerts/ca-orderer-example-com-7054-ca-orderer.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: Certificate: cacerts/ca-orderer-example-com-7054-ca-orderer.pem OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml echo echo "Register orderer" echo set -x fabric-ca-client register --caname ca-orderer --id.name orderer0 --id.secret orderer0pw --id.type orderer --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem fabric-ca-client register --caname ca-orderer --id.name orderer1 --id.secret orderer1pw --id.type orderer --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem fabric-ca-client register --caname ca-orderer --id.name orderer2 --id.secret orderer2pw --id.type orderer --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem set +x echo echo "Register the orderer admin" echo set -x fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem set +x mkdir -p organizations/ordererOrganizations/example.com/orderers mkdir -p organizations/ordererOrganizations/example.com/orderers/example.com mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer0.example.com mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer1.example.com mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer2.example.com echo echo "## Generate the orderer msp" echo set -x fabric-ca-client enroll -u https://orderer0:orderer0pw@ca.orderer.example.com:7054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp --csr.hosts orderer0.example.com --csr.hosts localhost --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem fabric-ca-client enroll -u https://orderer1:orderer1pw@ca.orderer.example.com:7054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/msp --csr.hosts orderer1.example.com --csr.hosts localhost --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem fabric-ca-client enroll -u https://orderer2:orderer2pw@ca.orderer.example.com:7054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp --csr.hosts orderer2.example.com --csr.hosts localhost --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem set +x cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/config.yaml cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/config.yaml cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/config.yaml echo echo "## Generate the orderer-tls certificates" echo set -x fabric-ca-client enroll -u https://orderer0:orderer0pw@ca.orderer.example.com:7054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls --enrollment.profile tls --csr.hosts orderer0.example.com --csr.hosts localhost --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem fabric-ca-client enroll -u https://orderer1:orderer1pw@ca.orderer.example.com:7054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls --enrollment.profile tls --csr.hosts orderer1.example.com --csr.hosts localhost --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem fabric-ca-client enroll -u https://orderer2:orderer2pw@ca.orderer.example.com:7054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls --enrollment.profile tls --csr.hosts orderer2.example.com --csr.hosts localhost --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem set +x cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.key cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/server.key cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/ca.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.key mkdir -p ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem mkdir -p ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem mkdir -p ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts/tlsca.example.com-cert.pem mkdir -p ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts/tlsca.example.com-cert.pem mkdir -p organizations/ordererOrganizations/example.com/users mkdir -p organizations/ordererOrganizations/example.com/users/Admin@example.com echo echo "## Generate the admin msp" echo set -x fabric-ca-client enroll -u https://ordererAdmin:ordererAdminpw@ca.orderer.example.com:7054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp --tls.certfiles ${PWD}/ordererOrg/tls-cert.pem set +x cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp/config.yaml } createOrg1 createOrg2 createOrderer

注意:上面脚本中的文件都指定为相对路径，需要根据实际情况调整为自己需要的路径；生成的organizations文件夹需要分发到每个orderer节点和peer节点的工作目录下。