【发布时间】:2020-06-23 07:11:54
【问题描述】:
我正在尝试运行 Hypderledger v2.0 fabric-ca-client 二进制文件以获取具有 SANS 配置的证书...
$ fabric-ca-client enroll -u ${CA_FULL_URL} --tls.certfiles ${CA_CERT_PATH} --csr.hosts peer0-org1 --enrollment.profile tls
所以我们有“--csr.hosts peer0-org1”来生成包含 SAN(主题备用名称)的证书...
但是当使用 $ openssl x509 -noout -text -in certificateX123.pem 检查它时
结果是:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:3b:4f:ea:63:1a:03:b4:61:45:e9:44:1b:29:dc:ed:e6:bc:0b:76
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Validity
Not Before: Jun 21 05:14:00 2020 GMT
Not After : Jun 18 05:14:00 2035 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:3c:3f:d9:97:7e:fc:08:e5:0a:3f:fe:b3:fe:70:
33:20:92:6c:88:78:19:35:08:00:98:97:17:8b:af:
03:44:2d:a4:4d:65:63:fc:d8:b5:4c:23:cc:e6:63:
55:a3:4f:04:62:72:8d:b2:fa:f1:9a:9d:14:9f:f9:
aa:33:ee:fe:e8
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
78:B7:6D:51:91:0C:9E:6C:31:C9:63:67:34:BD:CA:18:B5:C5:35:D1
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:6a:1a:92:cc:45:9b:c9:a5:4d:61:b9:bd:a3:94:
b2:2c:52:7a:16:36:91:12:f9:a0:1f:fe:77:29:a3:1e:05:5d:
02:20:7f:e0:5d:c9:03:4f:8e:b2:6d:66:a4:8f:04:fb:e0:e6:
52:cf:e0:e9:3a:1a:36:bc:7b:98:99:f9:c4:64:c6:7e
我没有看到任何类似的 SANS 配置
SANS:
- "localhost"
- "127.0.0.1"
那么为什么生成的证书中没有SANS配置???请帮忙。谢谢!
【问题讨论】:
-
您可以尝试如下:
--csr.hosts "localhost,127.0.01"。您将需要 SAN 来获取节点证书。这是 Fabric CA 证书,如果我没记错的话。