在hyperledger fabric-ca中,我创建了一系列CA,如:
根CA - 中间CA 1 - 中间CA 2 - 中间CA 3
使用这些CA,在fabric-ca-config.yaml文件的"signing"部分中设置"maxpathlen:5",在"csr"部分中设置"pathlength:5"
这意味着我的链对至少4个中级CA有效,我可以在中级CA 3中注册新的身份 .
事实上,我可以注册中级CA 3的管理员,但是,当我注册新的身份时,我有这样的错误:
/ register 401 26“不受信任的证书:无法验证证书:x509:路径长度约束的中间体太多”
我做错了什么,以及如何配置这个值
我的配置文件
# Version of config file
version: 1.1.0
# Server's listening port (default: 7054)
port: 7054
# Enables debug logging (default: false)
debug: false
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
tls:
# Enable TLS (default: false)
enabled: false
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
ca:
# Name of this CA
name:
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: Admin
pass: adminpw
type: client
affiliation:
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
affiliations:
org1:
- department1
- department2
org2:
- department1
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 5
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
csr:
cn: fabric-ca-server
names:
- C: US
ST: "California"
L:
O: Hyperledger
OU: Fabric
hosts:
- ca
- localhost
ca:
expiry: 131400h
pathlength: 5
1 回答
我发现根本原因很简单,因为在初始化网络时,我不会自己创建cert / key并对其进行配置,以便Fabric-CA使用自己的密钥/ cert配置默认设置maxpathlen = 1 .
如果我自己创建cert / key并且在cert config pathlength> 3,那么我的网络就可以了 .