Hyperledger Fabric如何通过Fabric-Ca-Client生成对等无证书 [英] Hyperledger Fabric How to generate peer sans certificates via fabric-ca-client

问题描述

我正在尝试运行Hypderledger v2.0 fabric-ca-client二进制文件以获取具有SANS配置的证书...

I am trying to run a Hypderledger v2.0 fabric-ca-client binary file to get certificates with SANS configurations...

$ fabric-ca-client enroll -u ${CA_FULL_URL} --tls.certfiles ${CA_CERT_PATH} --csr.hosts peer0-org1 --enrollment.profile tls

因此，我们有"--csr.hosts peer0-org1"应该生成包含SAN(主题备用名称)的证书...

So we have "--csr.hosts peer0-org1" to supposedly generate certs that include SAN(Subject Alternative Name)...

但是在使用$ openssl x509进行检查时x509 -noout -text -in certificateX123.pem

BUT when checking it with $ openssl x509 -noout -text -in certificateX123.pem

结果是:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:3b:4f:ea:63:1a:03:b4:61:45:e9:44:1b:29:dc:ed:e6:bc:0b:76
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
        Validity
            Not Before: Jun 21 05:14:00 2020 GMT
            Not After : Jun 18 05:14:00 2035 GMT
        Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:3c:3f:d9:97:7e:fc:08:e5:0a:3f:fe:b3:fe:70:
                    33:20:92:6c:88:78:19:35:08:00:98:97:17:8b:af:
                    03:44:2d:a4:4d:65:63:fc:d8:b5:4c:23:cc:e6:63:
                    55:a3:4f:04:62:72:8d:b2:fa:f1:9a:9d:14:9f:f9:
                    aa:33:ee:fe:e8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier: 
                78:B7:6D:51:91:0C:9E:6C:31:C9:63:67:34:BD:CA:18:B5:C5:35:D1
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:6a:1a:92:cc:45:9b:c9:a5:4d:61:b9:bd:a3:94:
         b2:2c:52:7a:16:36:91:12:f9:a0:1f:fe:77:29:a3:1e:05:5d:
         02:20:7f:e0:5d:c9:03:4f:8e:b2:6d:66:a4:8f:04:fb:e0:e6:
         52:cf:e0:e9:3a:1a:36:bc:7b:98:99:f9:c4:64:c6:7e

我没有看到任何类似的SANS配置

I don't see any SANS configurations like

SANS:
  - "localhost"
  - "127.0.0.1"

因此，为什么生成的证书中没有SANS配置???请帮忙.谢谢！

So WHY is there no SANS configuration in the generated certificate??? Please help. Thank you!

推荐答案

@Russo，正如@ChintanRajvir所提到的，它是一种tls-ca结构.在tls-ca中不需要SANS.而是检查network/crypto-config/peerOrganizations/beta.com/peers/peer1.beta.com/tls/server.crt.相应地更改Org-name.这是需要SANS而不是tls-ca的证书.

@Russo , As mentioned by @ChintanRajvir it is a fabric tls-ca. You don't need SANS in tls-ca. Instead check network/crypto-config/peerOrganizations/beta.com/peers/peer1.beta.com/tls/server.crt. Change the Org-name accordingly. This is the certificate which requires SANS not the tls-ca.

代码段

openssl x509 -in crypto-config/peerOrganizations/beta.com/peers/peer1.beta.com/tls/server.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            06:ca:fc:cb:29:77:d1:ff:b5:19:ac:64:67:89:26:e2:2e:28:61:00
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.beta.com
        Validity
            Not Before: Jun 23 07:34:00 2020 GMT
            Not After : Jun 23 07:39:00 2021 GMT
        Subject: C = US, ST = North Carolina, O = Hyperledger, OU = peer, CN = peer1.beta.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:4d:d3:f8:a8:a8:0f:f9:e4:81:f9:43:ae:fe:bb:
                    44:d7:4f:de:c7:82:e5:29:66:22:bc:4c:49:e6:a4:
                    a4:f8:26:84:09:2a:51:1b:81:38:0d:9c:13:21:9b:
                    38:98:9d:d5:2f:45:75:d4:4b:62:45:01:74:1f:ad:
                    bf:5d:af:7e:47
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                54:D6:E3:AC:54:8C:8A:A3:13:32:4A:78:30:E7:59:8A:3C:EB:EE:3C
            X509v3 Authority Key Identifier:
                keyid:10:4E:E0:F4:A7:86:57:01:A0:28:25:99:57:A9:F2:55:5D:CD:E0:4F

            X509v3 Subject Alternative Name:
                DNS:peer1.beta.com, DNS:localhost
            1.2.3.4.5.6.7.8.1:
                {"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"peer1.beta.com","hf.Type":"peer"}}
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:1e:fe:18:8b:2f:7c:a3:1b:4e:1a:db:5d:96:49:
         31:d5:ca:3d:e9:92:75:14:4d:38:49:a2:15:88:de:77:33:77:
         02:20:33:19:ec:9c:ac:e4:43:90:b2:f6:2b:3b:f0:a8:45:d4:
         a9:7e:0b:e2:80:ba:86:75:df:5a:f2:fe:90:b8:18:52

这篇关于Hyperledger Fabric如何通过Fabric-Ca-Client生成对等无证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！