建议的openssl命令用来生成与Hyperledger Fabric兼容的EC密钥和CSR是什么? [英] What is the suggested openssl command to generate EC Key and CSR compatible with Hyperledger Fabric?
问题描述
我们已经使用openssl生成CSR(证书签名请求),如下所示.
We have used openssl to generate CSRs (certificate signing request) as follows.
- 第一步:生成ECPARAM.pem文件
openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-384 -out ECPARAM.pem
- 第二步:生成privateKey和CSR:
openssl req -newkey ec:ECPARAM.pem -keyout PRIVATEKEY.key -out MYCSR.csr
从上面列出的CSR中相应的CA颁发并签署新的 peer 证书.
A new peer certificate is issued and signed from the corresponding CA out of the CSR listed above.
启动对等时,输出以下错误:
When peer is started, outputs the following error:
2020-11-22 22:28:14.635 UTC [main] InitCmd->ERRO 001无法运行对等,因为从/etc/hyperledger/fabric/msp目录设置bccsp类型的MSP时出错:在SigningIdentityInfo中找不到KeyMaterial
2020-11-22 22:28:14.635 UTC [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: KeyMaterial not found in SigningIdentityInfo
我认为问题与openssl生成的EC Key的格式有关吗?下面是引起错误的私钥示例:
I suppose the problem is related to the format of the EC Key generated by openssl? Below a sample of the private key that is causing the error:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBEzBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIQtU4Ouojj6MCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECC+I/OCseSp1BIHAeSmeCRFHlKzO
Hw1RK5wQi8hSulmi4HZjMJC6rofFFwGqgbBCKo9dBbJXYYsYc1AukAKyo+w6W4a3
0BpTGNAP4/eVB0dsFm7oHpJiZ2jmvgsYTHtchCciCastVph7zOfyggobPfEO97cU
iwtq3v1R5yGA1ic/2vIqtSxynnGzrTiUnwnrvPC0hXMYiDHmYfN66BK898bfcaXp
MqnBFfOQSRAtVzN71hiBWjGjVm3Y4e/vDYse/GLsseDnPK9fw3XA
-----END ENCRYPTED PRIVATE KEY-----
与 cryptogen 工具生成的密钥进行比较之后,它们具有不同的标题行和长度:
After comparing with keys generated by cryptogen tool, they have different header line and length:
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDBXq+IIvjEQITYhxIui0ivOY/eVH1Ql8R5wXowiPSdLwZbsIrk6LHjw
jB8D9oqOW4agBwYFK4EEACKhZANiAASNt3bW+GicurJPRaj+oaY/xjaD9Mf/ic4i
3fdgI7wQnvXnGLX0Lf5ygd5ZyyhPW2Tvj7FdOW4vzaqZqSHkaG37GaP6JxpmR3/l
HuF+tncpsjUY7SXTCfzIysxvod9gN9g=
-----END EC PRIVATE KEY-----
有任何解决建议吗?
推荐答案
Fabric不支持加密密钥.使用openssl生成私钥时,您应该能够通过 -nocrypt
选项生成未加密的密钥,或者可以将加密的密钥转换为未加密的密钥:
Fabric does not support encrypted keys. When generating the private keys using openssl, you should be able to pass the -nocrypt
option to generate unencrypted keys or you can convert encrypted keys to unencrypted keys:
openssl ec -in PRIVATEKEY.key -out PK_UNENCRYPPTED.pem
这篇关于建议的openssl命令用来生成与Hyperledger Fabric兼容的EC密钥和CSR是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!