fabric-ca部署及证书颁发

1、选择Docker容器方式部署（两种方式部署1、命令行；2、Docker容器）,3个根证书ca_org1、ca_org2、ca_orderer：

docker-compose-ca.yaml

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

version: '2'

services:

ca_org1:
image: hyperledger/fabric-ca:1.4
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ./organizations/fabric-ca/org1:/etc/hyperledger/fabric-ca-server
container_name: ca_org1

ca_org2:
image: hyperledger/fabric-ca:1.4
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org2
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=8054
ports:
- "8054:8054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ./organizations/fabric-ca/org2:/etc/hyperledger/fabric-ca-server
container_name: ca_org2

ca_orderer:
image: hyperledger/fabric-ca:1.4
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-orderer
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=9054
ports:
- "9054:9054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ./organizations/fabric-ca/ordererOrg:/etc/hyperledger/fabric-ca-server
container_name: ca_orderer

2、修改配置文件fabric-ca-server-config.yaml，将数据库改成mysql,配置文件路径见docker-compose volumes。

修改ca_org1示例,ca_org2与ca_orderer同下：

db:

  type: mysql

  datasource: root:password@tcp(10.20.31.113:3306)/ca_org1?parseTime=true

  tls:

      enabled: false

      certfiles:

      client:

        certfile:

        keyfile:

 注意：需要修改数据库配置，不然报– Invalid default value for ‘字段名’错误

sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

3、启动fabric-ca命令

 docker-compose -f docker-compose-ca.yaml up -d    

  关闭fabric-ca命令为： docker-compose -f docker-compose-ca.yaml down --volumes --remove-orphans

4、根据fabric网络架构图颁发证书，此示例网络结构如下图

颁发org1组织证书脚本：

function createOrg1 {

echo
echo "Enroll the CA admin"
echo
mkdir -p organizations/peerOrganizations/org1.example.com/

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/

set -x
fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x

echo 'NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml

echo
echo "Register peer0"
echo
set -x
fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x
echo
echo "Register peer1"
echo
set -x
fabric-ca-client register --caname ca-org1 --id.name peer1 --id.secret peer1pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x

echo
echo "Register user"
echo
set -x
fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"' --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x

echo
echo "Register the org admin"
echo
set -x
fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x

mkdir -p organizations/peerOrganizations/org1.example.com/peers
mkdir -p organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com
mkdir -p organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com

echo
echo "## Generate the peer0 msp"
echo
set -x
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts peer0.org1.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x

echo
echo "## Generate the peer1 msp"
echo
set -x
fabric-ca-client enroll -u https://peer1:peer1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp --csr.hosts peer1.org1.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x

cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/config.yaml
cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp/config.yaml

echo
echo "## Generate the peer0-tls certificates"
echo
set -x
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts peer0.org1.example.com--csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x
echo
echo "## Generate the peer1-tls certificates"
echo
set -x
fabric-ca-client enroll -u https://peer1:peer1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls --enrollment.profile tls --csr.hosts peer1.org1.example.com--csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x


cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/*${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/*${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/*${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/tlscacerts/*${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/signcerts/*${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/keystore/*${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/server.key


mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/*${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt

mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/*${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem

mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/ca
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/*${PWD}/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem

mkdir -p organizations/peerOrganizations/org1.example.com/users
mkdir -p organizations/peerOrganizations/org1.example.com/users/[email protected]

echo
echo "## Generate the user msp"
echo
set -x
fabric-ca-client enroll -u https://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x

mkdir -p organizations/peerOrganizations/org1.example.com/users/[email protected]

echo
echo "## Generate the org admin msp"
echo
set -x
fabric-ca-client enroll -u https://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
set +x

cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp/config.yaml

}

颁发org2证书脚本：

function createOrg2 {

echo
echo "Enroll the CA admin"
echo
mkdir -p organizations/peerOrganizations/org2.example.com/

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/
set -x
fabric-ca-client enroll -u https://admin:adminpw@localhost:8054 --caname ca-org2 --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x

echo 'NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/localhost-8054-ca-org2.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/localhost-8054-ca-org2.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/localhost-8054-ca-org2.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/localhost-8054-ca-org2.pem
OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml

echo
echo "Register peer0"
echo
set -x
fabric-ca-client register --caname ca-org2 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x
echo
echo "Register peer1"
echo
set -x
fabric-ca-client register --caname ca-org2 --id.name peer1 --id.secret peer1pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x

echo
echo "Register user"
echo
set -x
fabric-ca-client register --caname ca-org2 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"' --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x

echo
echo "Register the org admin"
echo
set -x
fabric-ca-client register --caname ca-org2 --id.name org2admin --id.secret org2adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x

mkdir -p organizations/peerOrganizations/org2.example.com/peers
mkdir -p organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com
mkdir -p organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com

echo
echo "## Generate the peer0 msp"
echo
set -x
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --csr.hosts peer0.org2.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x

echo
echo "## Generate the peer1 msp"
echo
set -x
fabric-ca-client enroll -u https://peer1:peer1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/msp --csr.hosts peer1.org2.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x

cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/config.yaml
cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/msp/config.yaml

echo
echo "## Generate the peer0-tls certificates"
echo
set -x
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls --enrollment.profile tls --csr.hosts peer0.org2.example.com--csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x
echo
echo "## Generate the peer1-tls certificates"
echo
set -x
fabric-ca-client enroll -u https://peer1:peer1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls --enrollment.profile tls --csr.hosts peer1.org2.example.com--csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x


cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/*${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/*${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/keystore/*${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/tlscacerts/*${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/signcerts/*${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/keystore/*${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/server.key

mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/*${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/ca.crt

mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/*${PWD}/organizations/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem

mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/ca
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/cacerts/*${PWD}/organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem

mkdir -p organizations/peerOrganizations/org2.example.com/users
mkdir -p organizations/peerOrganizations/org2.example.com/users/[email protected]

echo
echo "## Generate the user msp"
echo
set -x
fabric-ca-client enroll -u https://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x

mkdir -p organizations/peerOrganizations/org2.example.com/users/[email protected]

echo
echo "## Generate the org admin msp"
echo
set -x
fabric-ca-client enroll -u https://org2admin:org2adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
set +x

cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml${PWD}/organizations/peerOrganizations/org2.example.com/users/[email protected]/msp/config.yaml

}

颁发oderer证书脚本：

function createOrderer {

echo
echo "Enroll the CA admin"
echo
mkdir -p organizations/ordererOrganizations/example.com

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com

set -x
fabric-ca-client enroll -u https://admin:adminpw@localhost:9054 --caname ca-orderer --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x

echo 'NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/localhost-9054-ca-orderer.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/localhost-9054-ca-orderer.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/localhost-9054-ca-orderer.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/localhost-9054-ca-orderer.pem
OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml

echo
echo "Register orderer"
echo
set -x
fabric-ca-client register --caname ca-orderer --id.name orderer --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client register --caname ca-orderer --id.name orderer2 --id.secret orderer2pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client register --caname ca-orderer --id.name orderer3 --id.secret orderer3pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client register --caname ca-orderer --id.name orderer4 --id.secret orderer4pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client register --caname ca-orderer --id.name orderer5 --id.secret orderer5pw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x

echo
echo "Register the orderer admin"
echo
set -x
fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x

mkdir -p organizations/ordererOrganizations/example.com/orderers

mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer.example.com
mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer2.example.com
mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer3.example.com
mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer4.example.com
mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer5.example.com

echo
echo "## Generate the orderer msp"
echo
set -x
fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp --csr.hosts orderer.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client enroll -u https://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp --csr.hosts orderer2.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client enroll -u https://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp --csr.hosts orderer3.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client enroll -u https://orderer4:orderer4pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/msp --csr.hosts orderer4.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client enroll -u https://orderer5:orderer5pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/msp --csr.hosts orderer5.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x


cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/config.yaml
cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/config.yaml
cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/config.yaml
cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/msp/config.yaml
cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/msp/config.yaml

echo
echo "## Generate the orderer-tls certificates"
echo
set -x
fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls --enrollment.profile tls --csr.hosts orderer.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client enroll -u https://orderer2:orderer2pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls --enrollment.profile tls --csr.hosts orderer2.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client enroll -u https://orderer3:orderer3pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls --enrollment.profile tls --csr.hosts orderer3.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client enroll -u https://orderer4:orderer4pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls --enrollment.profile tls --csr.hosts orderer4.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x
set -x
fabric-ca-client enroll -u https://orderer5:orderer5pw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls --enrollment.profile tls --csr.hosts orderer5.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x

cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key

cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/ca.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/signcerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/keystore/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.key

cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/ca.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/signcerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/keystore/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.key

cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/ca.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/signcerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/keystore/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.key

cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/ca.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/signcerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/keystore/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.key

mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.
mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

mkdir ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts
cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/*${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts/tlsca.example.com-cert.pem

mkdir -p organizations/ordererOrganizations/example.com/users
mkdir -p organizations/ordererOrganizations/example.com/users/[email protected]

echo
echo "## Generate the admin msp"
echo
set -x
fabric-ca-client enroll -u https://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/msp --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem
set +x

cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml${PWD}/organizations/ordererOrganizations/example.com/users/[email protected]/msp/config.yaml
}

5、执行脚本生成证书：

/root/ca目录下执行命令 

 . organizations/fabric-ca/registerOgr1.sh 

 createOrg1

 . organizations/fabric-ca/registerOgr2.sh 

 createOrg2

 . organizations/fabric-ca/registerOrderer.sh 

createOrderer

6、查看生成证书结构：

organizations/peerOrganizations/
├── org1.example.com
│   ├── ca
│   │   └── ca.org1.example.com-cert.pem
│   ├── fabric-ca-client-config.yaml
│   ├── msp
│   │   ├── cacerts
│   │   │   └── localhost-7054-ca-org1.pem
│   │   ├── config.yaml
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── 7f6bafca12f99f05fee83492cd9c8de936296cdde68f47ac44379754be17cddc_sk
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   ├── tlscacerts
│   │   │   └── ca.crt
│   │   └── user
│   ├── peers
│   │   ├── peer0.org1.example.com
│   │   │   ├── msp
│   │   │   │   ├── cacerts
│   │   │   │   │   └── localhost-7054-ca-org1.pem
│   │   │   │   ├── config.yaml
│   │   │   │   ├── IssuerPublicKey
│   │   │   │   ├── IssuerRevocationPublicKey
│   │   │   │   ├── keystore
│   │   │   │   │   └── 70d18435f329f0a468e7d391d223b88c093d79ac0132f0d438ef41acd7f6ccd4_sk
│   │   │   │   ├── signcerts
│   │   │   │   │   └── cert.pem
│   │   │   │   └── user
│   │   │   └── tls
│   │   │   ├── cacerts
│   │   │   ├── ca.crt
│   │   │   ├── IssuerPublicKey
│   │   │   ├── IssuerRevocationPublicKey
│   │   │   ├── keystore
│   │   │   │   └── 699e5e42b2cd62bcfccc7a14f507d12b4c6edbe0be94fd7c1572d73d3a161a0a_sk
│   │   │   ├── server.crt
│   │   │   ├── server.key
│   │   │   ├── signcerts
│   │   │   │   └── cert.pem
│   │   │   ├── tlscacerts
│   │   │   │   └── tls-localhost-7054-ca-org1.pem
│   │   │   └── user
│   │   └── peer1.org1.example.com
│   │   ├── msp
│   │   │   ├── cacerts
│   │   │   │   └── localhost-7054-ca-org1.pem
│   │   │   ├── config.yaml
│   │   │   ├── IssuerPublicKey
│   │   │   ├── IssuerRevocationPublicKey
│   │   │   ├── keystore
│   │   │   │   └── 146a09a99fe173aa3e64e0d02c00ff49c55646cc7b1b1ea401090067d8affc80_sk
│   │   │   ├── signcerts
│   │   │   │   └── cert.pem
│   │   │   └── user
│   │   └── tls
│   │   ├── cacerts
│   │   ├── ca.crt
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── 2c69d1b6e8077026205aab87d12a7fd32123a5bd01618f790fc951369b52ba7f_sk
│   │   ├── server.crt
│   │   ├── server.key
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   ├── tlscacerts
│   │   │   └── tls-localhost-7054-ca-org1.pem
│   │   └── user
│   ├── tlsca
│   │   └── tlsca.org1.example.com-cert.pem
│   └── users
│   ├── [email protected]
│   │   └── msp
│   │   ├── cacerts
│   │   │   └── localhost-7054-ca-org1.pem
│   │   ├── config.yaml
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── ae921494e7286cf5fda149063e7f29644fb6ef1e85db0ea87025c434699044af_sk
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   └── user
│   └── [email protected]
│   └── msp
│   ├── cacerts
│   │   └── localhost-7054-ca-org1.pem
│   ├── IssuerPublicKey
│   ├── IssuerRevocationPublicKey
│   ├── keystore
│   │   └── 1afa111045bc6b44384ff1dfdaa01548e228cda4beafc7a886a0b26afb96a8eb_sk
│   ├── signcerts
│   │   └── cert.pem
│   └── user
└── org2.example.com
├── ca
│   └── ca.org2.example.com-cert.pem
├── fabric-ca-client-config.yaml
├── msp
│   ├── cacerts
│   │   └── localhost-8054-ca-org2.pem
│   ├── config.yaml
│   ├── IssuerPublicKey
│   ├── IssuerRevocationPublicKey
│   ├── keystore
│   │   └── 6dde2d7c539de41202c228f8b744ed4f9fd411470cf8e2e52de581e5130b0cc0_sk
│   ├── signcerts
│   │   └── cert.pem
│   ├── tlscacerts
│   │   └── ca.crt
│   └── user
├── peers
│   ├── peer0.org2.example.com
│   │   ├── msp
│   │   │   ├── cacerts
│   │   │   │   └── localhost-8054-ca-org2.pem
│   │   │   ├── config.yaml
│   │   │   ├── IssuerPublicKey
│   │   │   ├── IssuerRevocationPublicKey
│   │   │   ├── keystore
│   │   │   │   └── cc3567993dfd9c7f8c1065e672cf910af922fdc1c22a456ae75ff596d9fde803_sk
│   │   │   ├── signcerts
│   │   │   │   └── cert.pem
│   │   │   └── user
│   │   └── tls
│   │   ├── cacerts
│   │   ├── ca.crt
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── 98c00e2995b7066a789d8924103edf7494eaef75fa1702e81c0c245f3ed74486_sk
│   │   ├── server.crt
│   │   ├── server.key
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   ├── tlscacerts
│   │   │   └── tls-localhost-8054-ca-org2.pem
│   │   └── user
│   └── peer1.org2.example.com
│   ├── msp
│   │   ├── cacerts
│   │   │   └── localhost-8054-ca-org2.pem
│   │   ├── config.yaml
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── 850f3be4d0fba8e7f5070fc86ad42a46b330e503b7664a922d8a3709b704bdbe_sk
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   └── user
│   └── tls
│   ├── cacerts
│   ├── ca.crt
│   ├── IssuerPublicKey
│   ├── IssuerRevocationPublicKey
│   ├── keystore
│   │   └── 584595b78f14d9074fc7a199e95b0091322d576cb90aeddd56997211d03ef6be_sk
│   ├── server.crt
│   ├── server.key
│   ├── signcerts
│   │   └── cert.pem
│   ├── tlscacerts
│   │   └── tls-localhost-8054-ca-org2.pem
│   └── user
├── tlsca
│   └── tlsca.org2.example.com-cert.pem
└── users
├── [email protected]
│   └── msp
│   ├── cacerts
│   │   └── localhost-8054-ca-org2.pem
│   ├── config.yaml
│   ├── IssuerPublicKey
│   ├── IssuerRevocationPublicKey
│   ├── keystore
│   │   └── a9c1cdf2c7c17af057cd8e20ef036fb8905d5ba4155cd456855edae340fc5719_sk
│   ├── signcerts
│   │   └── cert.pem
│   └── user
└── [email protected]
└── msp
├── cacerts
│   └── localhost-8054-ca-org2.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│   └── aa39fd219fe02cc59aa334699cc2aba26e90e3c87df9dde1910fd6b4cd4ed103_sk
├── signcerts
│   └── cert.pem
└── user

94 directories, 98 files

[root@C20-13U-10 ca]# tree organizations/ordererOrganizations/
organizations/ordererOrganizations/
└── example.com
├── fabric-ca-client-config.yaml
├── msp
│   ├── cacerts
│   │   └── localhost-9054-ca-orderer.pem
│   ├── config.yaml
│   ├── IssuerPublicKey
│   ├── IssuerRevocationPublicKey
│   ├── keystore
│   │   └── 78853324c9928122b65395659de248f76f1e50f427ed69e6c4f2c5777dbe8956_sk
│   ├── signcerts
│   │   └── cert.pem
│   ├── tlscacerts
│   │   └── tlsca.example.com-cert.pem
│   └── user
├── orderers
│   ├── orderer2.example.com
│   │   ├── msp
│   │   │   ├── cacerts
│   │   │   │   └── localhost-9054-ca-orderer.pem
│   │   │   ├── config.yaml
│   │   │   ├── IssuerPublicKey
│   │   │   ├── IssuerRevocationPublicKey
│   │   │   ├── keystore
│   │   │   │   └── 812364a43d421b9251287aeded116b7a1a8bce0ea1924528875c63b0897add75_sk
│   │   │   ├── signcerts
│   │   │   │   └── cert.pem
│   │   │   ├── tlscacerts
│   │   │   │   └── tlsca.example.com-cert.pem
│   │   │   └── user
│   │   └── tls
│   │   ├── cacerts
│   │   ├── ca.crt
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── 5862afe1941006e683ca15675feb2aaa872c08e1a702f27331d7cab84e20fbe7_sk
│   │   ├── server.crt
│   │   ├── server.key
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   ├── tlscacerts
│   │   │   └── tls-localhost-9054-ca-orderer.pem
│   │   └── user
│   ├── orderer3.example.com
│   │   ├── msp
│   │   │   ├── cacerts
│   │   │   │   └── localhost-9054-ca-orderer.pem
│   │   │   ├── config.yaml
│   │   │   ├── IssuerPublicKey
│   │   │   ├── IssuerRevocationPublicKey
│   │   │   ├── keystore
│   │   │   │   └── bf9796e1a0187b8e942f4e96bf6123df6c105f0560f5d3b83d383d2b1d082351_sk
│   │   │   ├── signcerts
│   │   │   │   └── cert.pem
│   │   │   ├── tlscacerts
│   │   │   │   └── tlsca.example.com-cert.pem
│   │   │   └── user
│   │   └── tls
│   │   ├── cacerts
│   │   ├── ca.crt
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── 4df0689d688e2daa938501d96ebe92d99d7dadb374164e2034968b6160f7b87a_sk
│   │   ├── server.crt
│   │   ├── server.key
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   ├── tlscacerts
│   │   │   └── tls-localhost-9054-ca-orderer.pem
│   │   └── user
│   ├── orderer4.example.com
│   │   ├── msp
│   │   │   ├── cacerts
│   │   │   │   └── localhost-9054-ca-orderer.pem
│   │   │   ├── config.yaml
│   │   │   ├── IssuerPublicKey
│   │   │   ├── IssuerRevocationPublicKey
│   │   │   ├── keystore
│   │   │   │   └── a7db07091803dc82f4fb167ef6017c5766ec453e0fb753773c95492638c0a45d_sk
│   │   │   ├── signcerts
│   │   │   │   └── cert.pem
│   │   │   ├── tlscacerts
│   │   │   │   └── tlsca.example.com-cert.pem
│   │   │   └── user
│   │   └── tls
│   │   ├── cacerts
│   │   ├── ca.crt
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── 34d965acb3f82a1ab38c3ae0f1153d52c420910fb1d20b88eb918e029817c1c2_sk
│   │   ├── server.crt
│   │   ├── server.key
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   ├── tlscacerts
│   │   │   └── tls-localhost-9054-ca-orderer.pem
│   │   └── user
│   ├── orderer5.example.com
│   │   ├── msp
│   │   │   ├── cacerts
│   │   │   │   └── localhost-9054-ca-orderer.pem
│   │   │   ├── config.yaml
│   │   │   ├── IssuerPublicKey
│   │   │   ├── IssuerRevocationPublicKey
│   │   │   ├── keystore
│   │   │   │   └── 436eb6c827c305b94ccdb65b2773841ffd7a159a6821f1120011a97cde964b52_sk
│   │   │   ├── signcerts
│   │   │   │   └── cert.pem
│   │   │   ├── tlscacerts
│   │   │   │   └── tlsca.example.com-cert.pem
│   │   │   └── user
│   │   └── tls
│   │   ├── cacerts
│   │   ├── ca.crt
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── aba9458924e7b1f561c200e1f1e76a1da86cc79057ce4480e2adf59484bb389e_sk
│   │   ├── server.crt
│   │   ├── server.key
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   ├── tlscacerts
│   │   │   └── tls-localhost-9054-ca-orderer.pem
│   │   └── user
│   └── orderer.example.com
│   ├── msp
│   │   ├── cacerts
│   │   │   └── localhost-9054-ca-orderer.pem
│   │   ├── config.yaml
│   │   ├── IssuerPublicKey
│   │   ├── IssuerRevocationPublicKey
│   │   ├── keystore
│   │   │   └── d0e5d71caf9daa6fc195816c7060cb6494560f48150430167faf706ca67b94c4_sk
│   │   ├── signcerts
│   │   │   └── cert.pem
│   │   ├── tlscacerts
│   │   │   └── tlsca.example.com-cert.pem
│   │   └── user
│   └── tls
│   ├── cacerts
│   ├── ca.crt
│   ├── IssuerPublicKey
│   ├── IssuerRevocationPublicKey
│   ├── keystore
│   │   └── 3c64e71c7708ac217e30c89836d1484540b09b436ca08f2267a1ea35a89fd0f1_sk
│   ├── server.crt
│   ├── server.key
│   ├── signcerts
│   │   └── cert.pem
│   ├── tlscacerts
│   │   └── tls-localhost-9054-ca-orderer.pem
│   └── user
└── users
└── [email protected]
└── msp
├── cacerts
│   └── localhost-9054-ca-orderer.pem
├── config.yaml
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│   └── 0b239b3e233b2095701525f63065e2d3b7b1a630cdc500551a501f2a80b8d82a_sk
├── signcerts
│   └── cert.pem
└── user

80 directories, 89 files