Chapter V Institutional Certificate Access
The communication before the node can also be controlled by the certificate. The node certificate represents that the node belongs to a certain organization. The administrator can control whether the node with the corresponding certificate can communicate with other nodes by configuring the certificate of the organization.
5.1 Check the certificate file
The node certificate is stored in the data directory of the node file directory:
- ca.crt: The public key of the root certificate, shared by the entire blockchain.
- ca.key: The private key of the root certificate. The private key should be kept secret and is only used when generating the public and private keys of the node certificate.
- server.crt: The public key of the node certificate.
- server.key: The private key of the node certificate. The private key should be kept secret.
5.2 Configuring Nodes
5.2.1 Enable SSL verification on all nodes
#以创世节点为例
cd /mydata/nodedata-1/
vim config.json
#编辑 ssl的值为1
"ssl":"1"
#然后重启
./stop.sh
./start.sh
#其余所有节点也进行同样操作开启SSL验证
5.2.2 Configuring the Authority Certificate
After the verification is enabled, each node needs to add a certificate or the certificate is on the chain to communicate
cd /mydata/nodedata-1/
#获取server.crt的序列号
openssl x509 -noout -in server.crt -serial
#=>serial=8A4B2CDE94348D22
cd /mydata/FISCO-BCOS/systemcontractv2
vim ca.json
#将上述值填入hash字段中,status字段为0不可用,1可用,根据需要修改相关字段。
#证书数据上链
node tool CAAction update ca.json
#开启证书验证
#一旦开启,所有不在系统合约中的证书对应的节点,将无法通信。
#执行命令,CAVerify设置为true
node tool.js ConfigAction set CAVerify true
#检查是否打开 输出true,表示开关已打开
node tool.js ConfigAction get CAVerify
#如果需要关闭,则是设为false
node tool.js ConfigAction set CAVerify false
#查看证书状态
node tool.js CAAction all
#修改证书状态
node tool.js CAAction updateStatus ca.json