hummingbird
/
jdchain
Not watched
2
0
Fork 0
Code
Releases 31 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
1082 Commits
11 Branches
12 MB
2577 Download
Tree: e96f4b39cc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e96f4b39cc'
${ noResults }
jdchain/docs/cli/ca.md

ca.md 10 kB
Raw Normal View History

new version 1.6.0-SNAPSHOT
4 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248 
  1. ### 证书管理

  2. 

  3. `jdchain-cli`提供**`ED25519`,`RSA`,`ECDSA`,`SM2`**密钥算法的证书签发工具:[证书列表](#证书列表),[显示证书](#显示证书),[CSR](#CSR),[CRT](#CRT),[更新证书](#更新证书),[生成测试证书](#生成测试证书)

  4. 

  5. > 目前支持创建`ED25519`,RSA`,`ECDSA`,`SM2`四种签名算法,请使用对应算法的公私钥

  6. 

  7. ```bash

  8. :bin$ ./jdchain-cli.sh ca -h

  9. Usage: jdchain-cli ca [-hV] [--pretty] [--home=<path>] [COMMAND]

  10. List, create, update certificates.

  11.   -h, --help          Show this help message and exit.

  12.       --home=<path>   Set the home directory.

  13.                         Default: ../

  14.       --pretty        Pretty json print

  15.   -V, --version       Print version information and exit.

  16. Commands:

  17.   list   List all the certificates.

  18.   show   Show certificate.

  19.   csr    Create certificate signing request.

  20.   crt    Create new certificate.

  21.   renew  Update validity period.

  22.   test   Create certificates for a testnet.

  23.   help   Displays help information about the specified command

  24. ```

  25. - `home`,指定密钥和证书存储相关目录,`${home}/config/keys`

  26. 

  27. #### 证书列表

  28. ```bash

  29. :bin$ ./jdchain-cli.sh ca list -h

  30. List all the certificates.

  31. Usage: jdchain-cli ca list [-hV] [--pretty] [--home=<path>]

  32.   -h, --help          Show this help message and exit.

  33.       --home=<path>   Set the home directory.

  34.       --pretty        Pretty json print

  35.   -V, --version       Print version information and exit.

  36. ```

  37. 

  38. 如:

  39. ```bash

  40. :bin$ ./jdchain-cli.sh keys list

  41. NAME           ALGORITHM        ADDRESS PUBKEY

  42. ```

  43. - `NAME`,名称

  44. - `ALGORITHM`,算法

  45. - `ADDRESS`,地址

  46. - `PUBKEY`,公钥

  47. 

  48. #### 显示证书

  49. ```bash

  50. :bin$ ./jdchain-cli.sh ca show -h

  51. Show certificate.

  52. Usage: jdchain-cli ca show [-hV] [--pretty] [--home=<path>] -n=<name>

  53.   -h, --help          Show this help message and exit.

  54.       --home=<path>   Set the home directory.

  55.   -n, --name=<name>   Name of the certificate

  56.       --pretty        Pretty json print

  57.   -V, --version       Print version information and exit.

  58. ```

  59. - `name`,证书名称

  60. 

  61. 如显示`${home}/config/keys`下名为`G1`的证书信息:

  62. ```bash

  63. :bin$ ./jdchain-cli.sh ca show -n G1

  64. ./jdchain-cli.sh ca show -n G1

  65. NAME    ALGORITHM       TYPE    ROLE    PUBKEY

  66. G1      SM2     ROLE-TODO       [GW]    SFZ6LjGKVz6wdU4G9PAraojyzCYPJ1BXAg1XBwSPCMC6Ug6u5oom5zcLPUzWtz42aCp9PLGXpHweBjSu3EW2aDzsa4JoT

  67.   [0]         Version: 3

  68.          SerialNumber: 440724497

  69.              IssuerDN: O=JDT,OU=ROOT,C=CN,ST=BJ,L=BJ,CN=ROOT,E=imuge@jd.com

  70.            Start Date: Fri Sep 03 16:43:01 GMT+08:00 2021

  71.            Final Date: Thu May 30 16:43:01 GMT+08:00 2024

  72.             SubjectDN: O=JDT,OU=GW,C=CN,ST=BJ,L=BJ,CN=G1,E=imuge@jd.com

  73.            Public Key: EC Public Key [c0:b9:58:d1:35:3d:a9:bc:1d:85:2a:ea:bf:57:80:39:e9:f6:57:6d]

  74.             X: 67e4a4afe0a5beb1e5fb6e915314a9ed94b74f449cc4f50314ff78ecf62ba786

  75.             Y: 2d5c233bfcd582f0c1098dbe4f1319db074fcf00023fdc9f3461a8d01488d9f2

  76. 

  77.   Signature Algorithm: SM3WITHSM2

  78.             Signature: 3046022100b70107554a723ec96569bbb23c65cb

  79.                        ac6d7934f47722aa50f18a5e9ca3a978b9022100

  80.                        9b68e5f3bd14bf103248c8516c493e5e1d9a872c

  81.                        39841c3704686ca85311bac0

  82. ```

  83. 

  84. #### CSR

  85. 

  86. 生成证书请求文件

  87. ```bash

  88. :bin$ ./jdchain-cli.sh ca csr -h

  89. Create certificate signing request.

  90. Usage: jdchain-cli ca csr [-hV] [--pretty] [--home=<path>] [-n=<name>]

  91.                           [--priv=<privPath>] [--pub=<pubPath>]

  92.   -h, --help              Show this help message and exit.

  93.       --home=<path>       Set the home directory.

  94.   -n, --name=<name>       Name of the key

  95.       --pretty            Pretty json print

  96.       --priv=<privPath>   Path of the private key file

  97.       --pub=<pubPath>     Path of the public key file

  98.   -V, --version           Print version information and exit.

  99. ```

  100. 

  101. - `name`,密钥对名称,创建公私钥请参照[keys](keys.md)文档说明

  102. 

  103. 如使用`${home}/config/keys`下名为`ROOT`的公私钥信息创建`CSR`:

  104. ```bash

  105. :bin$ ./jdchain-cli.sh ca csr -n ROOT

  106. // 选择证书角色,输入对应数字即可,多个角色使用半角逗号相隔

  107. input certificate roles (0 for ROOT, 1 for CA, 2 for PEER, 3 for GW, 4 for USER. multi values use ',' split):

  108. > 1

  109. input country:

  110. > CN

  111. input locality:

  112. > BJ

  113. input province:

  114. > BJ

  115. input organization name:

  116. > JDT

  117. input email address:

  118. > imuge@jd.com

  119. // 输入ROOT私钥密码

  120. input password of the key:

  121. > 1

  122. create [${home}/config/keys/ROOT.csr] success

  123. ```

  124. 成功后会创建`${home}/config/keys/ROOT.csr`文件。

  125. 

  126. #### CRT

  127. 

  128. 签发证书:

  129. ```bash

  130. :bin$ ./jdchain-cli.sh ca crt -h

  131. Create new certificate.

  132. Usage: jdchain-cli ca crt [-hV] [--pretty] [--csr=<csrPath>] --days=<days>

  133.                           [--home=<path>] [--issuer-crt=<issuerCrtPath>]

  134.                           [--issuer-name=<issuerName>]

  135.                           [--issuer-priv=<issuerPrivPath>] [-n=<name>]

  136.       --csr=<csrPath>   Path of the certificate signing request file

  137.       --days=<days>     Days of certificate validity

  138.   -h, --help            Show this help message and exit.

  139.       --home=<path>     Set the home directory.

  140.       --issuer-crt=<issuerCrtPath>

  141.                         Path of the issuer certificate file

  142.       --issuer-name=<issuerName>

  143.                         Name of the issuer key

  144.       --issuer-priv=<issuerPrivPath>

  145.                         Path of the issuer private key file

  146.   -n, --name=<name>     Name of the certificate signing request file

  147.       --pretty          Pretty json print

  148.   -V, --version         Print version information and exit.

  149. ```

  150. 

  151. - `name`,`CSR`文件名,不为空时要求在`${home}/config/keys`目录下存在`${name.csr}`文件

  152. - `csr`,`CSR`文件路径,与`name`二选一,优先使用`name`参数

  153. - `days`,证书有效天数,当前签发时间开始计算

  154. - `issuer-name`,签发者公私钥对名称,不为空时需要`${home}/config/keys`目录下至少存在`${issuer-name}.priv`,`${issuer-name}.crt`

  155. - `issuer-crt`,签发者证书文件

  156. - `issuer-priv`,签发者私钥文件

  157. > `issuer-name`为空时,`issuer-crt`和`issuer-priv`必须同时提供

  158. 

  159. 

  160. 如使用`${home}/config/keys`下名为`ROOT`签发自签名证书:

  161. ```bash

  162. ./jdchain-cli.sh ca crt -n CA --issuer-name ROOT --days 1000

  163. // 输入签发者私钥密码

  164. input password of the issuer:

  165. > 1

  166. create [${home}/config/keys/ROOT.crt] success

  167. ```

  168. 

  169. #### 更新证书

  170. 

  171. 仅可更新证书有效天数

  172. ```bash

  173. Update validity period.

  174. Usage: jdchain-cli ca renew [-hV] [--pretty] [--crt=<crtPath>] --days=<days>

  175.                             [--home=<path>] [--issuer-crt=<issuerCrtPath>]

  176.                             [--issuer-name=<issuerName>]

  177.                             [--issuer-priv=<issuerPrivPath>] [-n=<name>]

  178.       --crt=<crtPath>   File of the certificate

  179.       --days=<days>     Days of certificate validity

  180.   -h, --help            Show this help message and exit.

  181.       --home=<path>     Set the home directory.

  182.       --issuer-crt=<issuerCrtPath>

  183.                         Path of the issuer certificate file

  184.       --issuer-name=<issuerName>

  185.                         Name of the issuer key

  186.       --issuer-priv=<issuerPrivPath>

  187.                         Path of the issuer private key file

  188.   -n, --name=<name>     Name of the certificate

  189.       --pretty          Pretty json print

  190.   -V, --version         Print version information and exit.

  191. ```

  192. - `name`,`CRT`文件名,不为空时要求在`${home}/config/keys`目录下存在`${name.crt}`文件

  193. - `crt`,`CRT`文件路径,与`name`二选一,优先使用`name`参数

  194. - `days`,证书有效天数,当前签发时间开始计算

  195. - `issuer-name`,签发者公私钥对名称,不为空时需要`${home}/config/keys`目录下至少存在`${issuer-name}.priv`,`${issuer-name}.crt`

  196. - `issuer-crt`,签发者证书文件

  197. - `issuer-priv`,签发者私钥文件

  198. > `issuer-name`为空时,`issuer-crt`和`issuer-priv`必须同时提供

  199. 

  200. 如更新`${home}/config/keys`下名为`ROOT`证书有效期:

  201. ```bash

  202. ./jdchain-cli.sh ca crt -n ROOT --issuer-name ROOT --days 2000

  203. input password of the issuer:

  204. > 1

  205. renew [${home}/config/keys/ROOT.crt] success success

  206. ```

  207. 

  208. #### 生成测试证书

  209. 

  210. 一键生成可用于初始化`JD Chain`网络及使用需要的证书

  211. ```bash

  212. :bin$ ./jdchain-cli.sh ca test -h

  213. Create certificates for a testnet.

  214. Usage: jdchain-cli ca test [-hV] [--pretty] [-a=<algorithm>]

  215.                            --country=<country> --email=<email> [--gws=<gws>]

  216.                            [--home=<path>] --locality=<locality>

  217.                            [--nodes=<nodes>] --org=<organization>

  218.                            [-p=<password>] --province=<province>

  219.                            [--users=<users>]

  220.   -a, --algorithm=<algorithm>

  221.                              Crypto algorithm

  222.       --country=<country>    Country

  223.       --email=<email>        Email address

  224.       --gws=<gws>            Gateway size

  225.   -h, --help                 Show this help message and exit.

  226.       --home=<path>          Set the home directory.

  227.       --locality=<locality>  Locality

  228.       --nodes=<nodes>        Node size

  229.       --org=<organization>   Organization name

  230.   -p, --password=<password>  Password of the key

  231.       --pretty               Pretty json print

  232.       --province=<province>  Province

  233.       --users=<users>        Available user size

  234.   -V, --version              Print version information and exit.

  235. ```

  236. - `algorithm`,签名算法,默认`ED25519`,仅支持传入`ED25519`,  `RSA`,`ECDSA`,`SM2`之一

  237. - `nodes`,共识节点个数,生成`nodes`个`PEER`类型的证书,可用于节点使用。默认:`4`

  238. -  `gws`,网关节点个数,生成`gws`个`GW`类型的证书,可用于网关使用。默认:`1`

  239. - `users`,用户个数,生成`users`可个可用于普通用户使用的证书。默认:`10`

  240. 

  241. 如创建基于`SM2`签名算法的一个`ROOT`类型证书,`4`个节点证书,`1`个网关证书,`10`个用户证书:

  242. ```bash

  243. :bin$ ./jdchain-cli.sh ca test --org JDT --country CN --locality BJ --province BJ --email jdchain@jd.com

  244. input private key password:

  245. // 输入操作过程中生成的私钥加密密码

  246. > 1

  247. create test certificates in [${home}/config/keys] success

  248. ```

一个面向企业应用场景的通用区块链框架系统,能够作为企业级基础设施,为业务创新提供高效、灵活和安全的解决方案