Fabric CA生成cryptogen 一样的加密材料

[Seafoodair]

首先理解cryptogen的原理，主要参考这个连接：https://blog.csdn.net/boss2967/article/details/84203675

[Seafoodair]

几个概念要搞明白： 签名：签名是指使用某种加密算法生成一个摘要，并使用私钥对该摘要进行加密，从而生成一个数字签名。数字签名可以用来验证信息的完整性、真实性和不可否认性。 （私钥是签名、公钥是加密） 证书：证书是一种数字安全机制，它包含了一个实体的公钥和相关信息，并由可信机构对其进行数字签名，以确保证书的真实性和可信度。证书在建立安全连接时用于验证对方身份的合法性。

在使用数字证书建立安全连接时，客户端会使用证书中的公钥对服务器发送的数字签名进行验证，以确认收到的证书是由可信机构签发的，并且服务器的身份是可信的。这样就可以确保信息传输过程中的安全和保密性。（证书是对sender 公钥+个人身份 进行了验证和签名（ca私钥），receiver 如何验证签名： 是通过ca的公钥，来验证签名。验证签名后就能获得 sender的公钥）

[Seafoodair]

组织中节点数目是2个，一个是admin 另外一个就是user

[Seafoodair]

这个是一些备注

[Seafoodair]

用tree 查看的东西。我需要替换了。

[Seafoodair]

这个连接就是fabric-ca生成类似密钥的部分。链接地址如下：https://github.com/rupeshtr78/fabric admincerts包含 PEM 文件，每个文件对应一个管理员证书（管理员用户的签名证书） cacerts包含 PEM 文件，每个文件对应于根 CA 的证书 (ca-cert.pem) keystore包含一个带有节点签名密钥的 PEM 文件；私钥。目前不支持 RSA 密钥 signcerts以包含带有节点的 X.509 证书公钥的 PEM 文件。 tlscacerts（可选）包含 PEM 文件的文件夹，每个文件对应于 TLS 根 CA 的证书

[Seafoodair]

首先要建立tls-ca 和ca 服务器。 本配置里面是三个tls服务器证书分别为：tlsca.example.com-cert.pem、tlsca.org1.example.com-cert.pem、tlsca.org2.example.com-cert.pem

ca服务器也是三个 ca.example.com-cert.pem ca.org1.examle.com-cert.pem、 ca.org2.example.com-cert.pem

rca就是root ca

docker-composexxx的文件应该定义6个server。然后生成所需的东西。（start部分） 主要有两个部分

(1)向 TLS 和 CA 服务器注册身份（orderer、Peer、管理员、用户）白话点就是把自己身份材料给CA

(2)通过指向用于生成 CA 证书的相关 msp 目录和用于根据您的模型生成 TLS 证书的tls目录来注册这些身份。这两个步骤为网络中的每个身份创建所有加密材料。（ca给颁发证书）

[Seafoodair]

1.启动了6个服务器 启动后，会生成加密材料。（我期间启动了多次，可能密钥多了或者一个是ca一个是tls的密钥。需要处理！！！） 证书和私钥都生成了。不过需要将私钥复制到对应位置。然后修改私钥名称为priv_sk 2.fabric-ca-client enroll -d -u https://tls-ord-admin:tls-ord-adminpw@0.0.0.0:7150 fabric-ca-client register -d --id.name orderer1.fabric.com --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7150 fabric-ca-client register -d --id.name Admin@fabric.com --id.secret ordereradminpw --id.type admin -u https://0.0.0.0:7150

[Seafoodair]

私钥复制到crypto-config下

[Seafoodair]

3.颁发证书

[Seafoodair]

证书检查命令openssl x509 -in crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/signcerts/Admin@org2.example.com-cert.pem -text -noout

[Seafoodair]

公钥和私钥的配对比较是先比较类型，然后rsa算法是比较大数N是否相同。

[Seafoodair]

验证公钥和私钥：参考这个结果 https://stackoverflow.com/questions/47262671/any-openssl-command-line-to-verify-ecdsa-prime256v1-certificate-and-private-key

[Seafoodair]

示例：openssl x509 -in crypto-config/ordererOrganizations/example.com/tlsca/tlsca.example.com-cert.pem -text -noout 显示：Certificate: Data: Version: 3 (0x2) Serial Number: 61:57:c2:55:3c:e8:ee:33:e1:49:ad:72:32:b0:ed:ef:1f:cc:a5:f2 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = tlsca.example.com Validity Not Before: Jul 6 06:27:00 2023 GMT Not After : Jul 2 06:27:00 2038 GMT Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = tlsca.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:4c:01:94:6d:71:70:5e:f6:ae:da:77:67:f1:74: 23:91:d9:79:4b:4a:1e:8f:89:f2:e2:65:8d:68:da: 85:48:82:95:ae:6a:9c:d3:9f:4a:b3:84:7e:9a:d5: 80:6b:37:e5:7f:f5:96:34:1d:98:45:0d:8e:98:dc: 71:79:c1:71:2f ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: 38:DB:15:6E:65:6D:24:FF:BD:B5:8D:3C:6D:AA:76:82:CF:62:0D:52 X509v3 Subject Alternative Name: IP Address:0.0.0.0 Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:45:02:21:00:d9:78:ca:52:a1:66:b0:54:5d:f1:4e:82:24: ea:aa:a7:c2:a7:14:d5:d6:6a:80:4e:65:de:13:35:d7:d4:85: a0:02:20:27:27:b8:c3:18:fe:0e:88:86:d3:48:d8:04:e0:6c: 2b:89:4f:47:3d:2e:9f:15:2c:2b:e5:ae:3c:6b:02:24:df

[Seafoodair]

sudo openssl ec -in ./fabca/fabric.com/tlsca-server/msp/keystore/10c7e2b96f20addc0eb93d58a345a53b3f9c82f539505d494c24f066847e85de_sk -text -noout 加上sudo 就有权限啦。

[Seafoodair]

出现这个 read EC key Private-Key: (256 bit) priv: fc:1f:3b:1c:b9:8f:57:4f:2d:0b:66:ef:3e:2f:f5: f0:c4:99:bc:15:ca:1d:7e:c4:07:3d:69:fa:6b:bf: 04:b5 pub: 04:e9:0c:53:ac:a1:f1:8b:46:34:48:f1:9b:2f:fb: 81:9e:b5:61:18:fb:58:b5:6a:e7:cc:20:90:bb:1d: e6:45:12:e7:54:42:00:3f:8f:6c:c2:3a:d5:6a:9f: 7a:83:31:bb:be:d7:10:02:12:9f:23:1e:e9:39:fb: de:a2:02:8a:b2 ASN1 OID: prime256v1 NIST CURVE: P-256

对比公钥不相同

[Seafoodair]

对比另一个: user@user-KVM:~/Desktop/trans$ sudo openssl ec -in ./fabca/fabric.com/tlsca-server/msp/keystore/90eda84d0271bd333fc4343fa5a7813ca600ac6befb2124df9508c81345fedf1_sk -text -noout read EC key Private-Key: (256 bit) priv: b9:50:fa:5e:71:f4:05:56:99:0a:95:a1:6a:cb:0a: 2d:2f:ab:fe:c4:7c:ff:15:cb:f8:ff:29:ae:7c:a5: 7d:e5 pub: 04:4c:01:94:6d:71:70:5e:f6:ae:da:77:67:f1:74: 23:91:d9:79:4b:4a:1e:8f:89:f2:e2:65:8d:68:da: 85:48:82:95:ae:6a:9c:d3:9f:4a:b3:84:7e:9a:d5: 80:6b:37:e5:7f:f5:96:34:1d:98:45:0d:8e:98:dc: 71:79:c1:71:2f ASN1 OID: prime256v1 NIST CURVE: P-256 相同了。所以找到了相应的东西

[Seafoodair]

user@user-KVM:~/Desktop/trans$ openssl x509 -in fabca/fabric.com/tlsca-server/tls-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 47:a8:64:84:47:74:5c:06:8f:ae:e4:44:ac:27:7c:c3:ad:ea:0e:28 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = tlsca.example.com Validity Not Before: Jul 6 06:27:00 2023 GMT Not After : Jul 5 06:27:00 2024 GMT Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = 808076851cfa Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e9:0c:53:ac:a1:f1:8b:46:34:48:f1:9b:2f:fb: 81:9e:b5:61:18:fb:58:b5:6a:e7:cc:20:90:bb:1d: e6:45:12:e7:54:42:00:3f:8f:6c:c2:3a:d5:6a:9f: 7a:83:31:bb:be:d7:10:02:12:9f:23:1e:e9:39:fb: de:a2:02:8a:b2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 3F:58:9C:4A:46:84:FC:ED:6F:59:F3:BE:12:12:7E:2A:DE:84:96:AD X509v3 Authority Key Identifier: 38:DB:15:6E:65:6D:24:FF:BD:B5:8D:3C:6D:AA:76:82:CF:62:0D:52 X509v3 Subject Alternative Name: IP Address:0.0.0.0 Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:45:02:21:00:c0:a6:98:4e:20:41:89:54:96:c3:f6:62:a0: 49:a9:a9:93:d6:13:f4:49:11:31:d1:31:5f:d1:e8:59:a8:3e: 00:02:20:5c:af:cc:b7:68:48:e0:d7:da:94:45:fe:a7:6b:64: 8f:fe:5e:89:ac:86:6f:db:c5:f7:53:bd:c6:4f:c5:f4:6a 这个是对我们tls-cert.pem 配对。

[Seafoodair]

查看组织1的证书和私钥。

[Seafoodair]

openssl x509 -in crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 3e:6d:66:85:2f:d4:a0:02:95:f4:0c:1f:e7:20:d6:49:7b:84:67:b2 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = tlsca.org1.example.com Validity Not Before: Jul 6 06:27:00 2023 GMT Not After : Jul 2 06:27:00 2038 GMT Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = tlsca.org1.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:99:02:cd:00:22:ef:e1:91:33:fb:bf:a4:c7:45: 0a:c5:99:03:b1:bf:d5:01:48:bb:ff:a5:9c:5a:0b: ae:52:36:dd:24:92:78:4f:d9:e6:c0:f2:8b:82:b0: 1e:73:0b:4b:f2:b8:d7:1b:18:fd:da:93:a0:0c:b0: c1:9e:68:2f:ba ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: 3B:77:BE:02:25:DC:64:90:BA:FC:1D:CF:BB:D3:37:36:D8:54:CE:56 X509v3 Subject Alternative Name: IP Address:0.0.0.0 Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:45:02:21:00:bc:28:21:d3:d5:e1:28:f9:c9:bb:50:fc:2d: e2:b8:27:23:99:ca:1b:6a:db:66:ad:75:6f:1f:d2:c8:01:96: 99:02:20:12:5d:68:f8:ce:aa:38:0a:6d:b9:5d:ed:e0:75:b2: 2b:fd:6f:6d:33:32:ca:76:d8:ff:f7:a4:59:15:ee:7b:51

[Seafoodair]

sudo openssl ec -in ./fabca/po1.fabric.com/tlsca-server/msp/keystore/d78ddc53f54929c9be0ee3a57100aed29da61091d962965f0e3f61b828dd1809_sk -text -noout [sudo] password for user: read EC key Private-Key: (256 bit) priv: e6:5b:37:30:bf:26:b2:38:00:60:03:34:6c:cc:7e: 16:2d:3e:8c:d7:63:dd:50:61:15:ed:ac:c0:4b:8c: 4f:51 pub: 04:99:02:cd:00:22:ef:e1:91:33:fb:bf:a4:c7:45: 0a:c5:99:03:b1:bf:d5:01:48:bb:ff:a5:9c:5a:0b: ae:52:36:dd:24:92:78:4f:d9:e6:c0:f2:8b:82:b0: 1e:73:0b:4b:f2:b8:d7:1b:18:fd:da:93:a0:0c:b0: c1:9e:68:2f:ba ASN1 OID: prime256v1 NIST CURVE: P-256

[Seafoodair]

看组织二的私钥和证书 user@user-KVM:~/Desktop/trans$ openssl x509 -in crypto-config/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 52:30:e6:74:40:65:7e:39:00:a3:9f:df:35:10:5e:ef:01:21:01:82 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = tlsca.org2.example.com Validity Not Before: Jul 6 06:27:00 2023 GMT Not After : Jul 2 06:27:00 2038 GMT Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = tlsca.org2.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:96:c7:49:f4:79:ff:fe:e9:0c:eb:47:a2:1d:0a: 70:83:59:9d:c4:da:8b:89:74:62:94:69:f4:c4:c8: e7:73:1b:8c:83:58:15:a8:29:ca:98:bb:7d:53:6e: 47:e4:da:27:e3:56:8c:c6:56:da:09:6e:0a:33:d5: d0:8a:e4:f1:0c ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: 3F:E3:58:06:EE:67:EB:20:32:8A:17:2E:59:51:CF:44:6E:84:BF:56 X509v3 Subject Alternative Name: IP Address:0.0.0.0 Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:45:02:21:00:af:df:66:9e:35:0c:15:46:b2:c5:e7:36:bc: ed:6e:c9:0a:fe:3f:a7:e6:bd:cb:a1:21:48:1c:34:32:5d:ba: e3:02:20:25:2d:57:73:a5:2e:28:8f:71:47:6e:fb:e8:4e:52: f2:c7:a3:12:9c:df:27:fc:5b:09:b7:e6:40:02:a8:6e:6a

[Seafoodair]

user@user-KVM:~/Desktop/trans$ sudo openssl ec -in ./fabca/po2.fabric.com/tlsca-server/msp/keystore/26b70ec161cc99758eac37455e59dcfa120033f0e1f7780cc3b748c1e5d917f1_sk -text -noout read EC key Private-Key: (256 bit) priv: ec:5b:54:e9:43:63:44:01:c8:39:23:4a:6c:f1:b4: 46:ad:1a:52:62:d4:e7:bf:b1:25:0e:4b:8f:78:db: 3a:21 pub: 04:96:c7:49:f4:79:ff:fe:e9:0c:eb:47:a2:1d:0a: 70:83:59:9d:c4:da:8b:89:74:62:94:69:f4:c4:c8: e7:73:1b:8c:83:58:15:a8:29:ca:98:bb:7d:53:6e: 47:e4:da:27:e3:56:8c:c6:56:da:09:6e:0a:33:d5: d0:8a:e4:f1:0c ASN1 OID: prime256v1 NIST CURVE: P-256 这个符合

[Seafoodair]

tls 三个端口是 7150、7151、7156

[Seafoodair]

匹配fabric-ca 和私钥 user@user-KVM:~/Desktop/trans$ openssl x509 -in crypto-config/ordererOrganizations/example.com/ca/ca.example.com-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 50:9c:71:84:34:74:b5:19:db:87:8e:1b:cd:46:27:70:62:47:99:4d Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.example.com Validity Not Before: Jul 6 06:27:00 2023 GMT Not After : Jul 2 06:27:00 2038 GMT Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:37:28:4f:44:b3:8c:75:72:ac:c3:12:e2:ab:58: a4:62:13:3d:6f:4b:c7:d7:85:4c:1c:b9:7c:13:70: ea:4e:c7:b4:52:9e:7c:fe:af:cd:f9:f9:e9:72:f5: 87:7c:ce:a3:f3:c6:8a:d1:45:b4:69:67:34:47:30: 75:18:66:90:93 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: 96:58:FA:90:A4:6B:1F:8C:4F:5D:99:B7:F9:EA:43:0F:EE:D2:41:DD X509v3 Subject Alternative Name: IP Address:0.0.0.0 Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:45:02:21:00:fd:63:5a:10:fa:01:82:60:64:52:5a:79:7f: b5:59:42:47:7b:da:e8:f6:7c:e8:e0:ab:7e:cf:bd:0c:96:2f: ae:02:20:16:fd:c2:6b:00:a7:a8:60:2f:a1:c3:8b:8d:41:37: a4:8f:e9:5c:73:77:87:c5:bf:84:c5:ba:be:30:a8:ad:c8

[Seafoodair]

user@user-KVM:~/Desktop/trans$ sudo openssl ec -in ./fabca/fabric.com/ca-server/msp/keystore/747e840094516e31a8f3fafa0916f26cd7749799fcd40e0bd5a4cf07f271845a_sk -text -noout read EC key Private-Key: (256 bit) priv: 32:18:f2:e9:13:9f:4b:f9:60:1e:e6:c6:51:10:d3: 91:01:e1:c1:c3:16:0f:8a:53:e1:c9:f6:22:f3:69: 6f:09 pub: 04:37:28:4f:44:b3:8c:75:72:ac:c3:12:e2:ab:58: a4:62:13:3d:6f:4b:c7:d7:85:4c:1c:b9:7c:13:70: ea:4e:c7:b4:52:9e:7c:fe:af:cd:f9:f9:e9:72:f5: 87:7c:ce:a3:f3:c6:8a:d1:45:b4:69:67:34:47:30: 75:18:66:90:93 ASN1 OID: prime256v 这个就匹配上了

[Seafoodair]

组织一ca： openssl x509 -in crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5f:8a:4a:4e:06:99:80:ad:73:83:74:9f:19:09:da:64:bf:7f:0e:1d Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.org1.example.com Validity Not Before: Jul 6 06:27:00 2023 GMT Not After : Jul 2 06:27:00 2038 GMT Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.org1.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:56:8c:4a:ed:a1:07:cf:8c:e0:7f:43:83:92:da: da:61:4b:fe:4a:e0:b4:8c:a8:ac:87:b5:85:64:c8: dd:6c:4e:07:67:f0:d5:8f:17:f4:8f:5a:97:5c:32: 95:02:1e:9b:b2:a6:dd:f9:b5:5e:91:83:95:87:62: 23:6a:06:93:84 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: CC:3E:AF:5C:82:26:08:BC:B5:70:86:24:A4:5E:FB:38:4F:4C:0B:8B X509v3 Subject Alternative Name: IP Address:0.0.0.0 Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:44:02:20:18:0f:af:f8:1f:8c:6a:11:88:89:d5:2c:19:e1: eb:ea:1b:f5:f2:ac:fe:33:a0:05:75:c6:1d:d5:ce:43:af:79: 02:20:06:e3:5e:a2:ad:f2:2a:7f:ef:24:e5:6d:ba:80:36:98: bb:87:28:59:f6:af:7d:79:54:eb:72:b5:36:f2:7f:5a

[Seafoodair]

user@user-KVM:~/Desktop/trans$ sudo openssl ec -in ./fabca/po1.fabric.com/ca-server/msp/keystore/b1602c878d24a6f004f694105be792166c3badd2ead167edc864b1c70ff775b8_sk -text -noout read EC key Private-Key: (256 bit) priv: 87:12:9d:64:3c:c8:3b:1a:cd:34:1b:d1:2b:8b:2e: ae:01:d4:b7:ef:e3:73:10:6c:94:ff:f7:11:29:7c: b5:99 pub: 04:56:8c:4a:ed:a1:07:cf:8c:e0:7f:43:83:92:da: da:61:4b:fe:4a:e0:b4:8c:a8:ac:87:b5:85:64:c8: dd:6c:4e:07:67:f0:d5:8f:17:f4:8f:5a:97:5c:32: 95:02:1e:9b:b2:a6:dd:f9:b5:5e:91:83:95:87:62: 23:6a:06:93:84 ASN1 OID: prime256v1 NIST CURVE: P-256 这个匹配上了。

[Seafoodair]

组织二 user@user-KVM:~/Desktop/trans$ openssl x509 -in crypto-config/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 0f:c1:f1:5b:c9:ee:d6:a9:cf:6a:01:9e:1f:34:d0:d4:20:7a:68:16 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.org2.example.com Validity Not Before: Jul 6 06:27:00 2023 GMT Not After : Jul 2 06:27:00 2038 GMT Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.org2.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:98:f1:8c:af:e8:c8:b9:8e:d2:2a:39:1d:54:36: c1:ba:bd:9c:f7:ee:48:d6:3c:f6:e0:bb:17:f9:c0: 24:d9:77:de:e9:cf:3a:78:30:d9:3f:ab:60:e2:ef: eb:b2:c1:d9:95:3e:7e:a3:27:e3:5c:91:e9:5f:f5: f6:dc:a5:1d:05 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: 20:3F:3E:C9:A5:C3:9A:84:B0:CB:18:BD:DA:6A:F9:4A:C8:3A:F1:90 X509v3 Subject Alternative Name: IP Address:0.0.0.0 Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:45:02:21:00:c6:26:12:42:5f:63:3c:a3:81:bc:d1:d6:21: a5:01:1a:bf:f9:c8:22:15:27:79:2c:34:95:06:63:e5:ba:c2: 94:02:20:01:c7:23:2f:08:8d:80:30:07:24:9c:49:3e:d8:6b: 7a:c2:c8:4d:39:4b:8a:79:85:be:33:3f:74:bf:32:2f:3c

[Seafoodair]

user@user-KVM:~/Desktop/trans$ sudo openssl ec -in ./fabca/po2.fabric.com/ca-server/msp/keystore/a09400828ca440b4e342cd21326d7cbc495940d056057211e0711fb5a07657e5_sk -text -noout [sudo] password for user: read EC key Private-Key: (256 bit) priv: fd:af:4f:52:72:cd:9a:b0:6a:5e:64:aa:75:ff:ba: 33:e0:96:6a:76:f1:58:29:7f:4d:3c:79:16:88:e5: 91:4a pub: 04:98:f1:8c:af:e8:c8:b9:8e:d2:2a:39:1d:54:36: c1:ba:bd:9c:f7:ee:48:d6:3c:f6:e0:bb:17:f9:c0: 24:d9:77:de:e9:cf:3a:78:30:d9:3f:ab:60:e2:ef: eb:b2:c1:d9:95:3e:7e:a3:27:e3:5c:91:e9:5f:f5: f6:dc:a5:1d:05 ASN1 OID: prime256v1 NIST CURVE: P-256

[Seafoodair]

这是证明了了tlsca-admin 中openssl x509 -in fabca/fabric.com/tlsca-admin/msp/signcerts/cert.pem -text -noout 和msp/keystore 中的私钥成对。 user@user-KVM:~/Desktop/trans$ sudo openssl ec -in fabca/fabric.com/tlsca-admin/msp/keystore/20090d96e9025974b03274fb33c57a6a2ea147870bc31c08b47b46318be6a247_sk -text -noout [sudo] password for user: read EC key Private-Key: (256 bit) priv: 4c:68:12:93:35:70:cf:43:07:7e:45:c4:d9:c4:79: 08:03:9b:ce:1b:f0:69:ae:76:8b:27:42:14:85:11: 15:cb pub: 04:e0:a9:37:eb:b2:3f:2e:39:d9:a1:ca:43:6f:aa: b2:7a:f5:47:e5:b2:4c:8b:18:64:7c:ee:00:0c:de: 71:a3:fd:4e:ed:a6:8b:6a:9a:d0:3d:2d:68:fe:88: a0:ce:6b:70:e4:07:75:5a:3c:30:91:db:04:ef:7c: af:f7:c7:b2:ee ASN1 OID: prime256v1 NIST CURVE: P-256

[Seafoodair]

openssl crl2pkcs7 -nocrl -certfile twobin/ordererOrganizations/example.com/tlsca/tlsca.example.com-cert.pem | openssl pkcs7 -print_certs -noout subject=C = US, ST = California, L = San Francisco, O = example.com, CN = tlsca.example.com

issuer=C = US, ST = California, L = San Francisco, O = example.com, CN = tlsca.example.com
该命令用于查看证书链，如果显示subject 和Issuer 证明是自签名的。

[Seafoodair]

openssl verify -show_chain -CAfile twobin/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem twobin/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/msp/signcerts/peer1.org2.example.com-cert.pem twobin/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/msp/signcerts/peer1.org2.example.com-cert.pem: OK Chain: depth=0: C = US, ST = California, L = San Francisco, OU = peer, CN = peer1.org2.example.com (untrusted) depth=1: C = US, ST = California, L = San Francisco, O = org2.example.com, CN = ca.org2.example.com 能查到证书链 显示是ok