Renewal node (FISCO-BCOS#662)

faquanzhou · Oct 15, 2019 · 650e73f · 650e73f
1 parent 2b70818
commit 650e73f
Show file tree

Hide file tree

Showing 4 changed files with 205 additions and 2 deletions.
diff --git a/docs/faq.md b/docs/faq.md
@@ -173,3 +173,9 @@ Traceback (most recent call last):
 ```bash
   $ pip install configparser
 ```
+
+问:
+  节点或SDK使用的OpenSSL证书过期了，如何续期？
+
+答:
+  证书续期操作可以参考[证书续期操作](./manual/certificates.md#id9)
diff --git a/docs/manual/certificates.md b/docs/manual/certificates.md
@@ -70,7 +70,6 @@ FISCO BCOS的证书生成流程如下，用户也可以使用[企业部署工具
 
 * 联盟链委员会使用openssl命令请求链私钥`ca.key`，根据ca.key生成链证书`ca.crt`
 
-
 ### 生成机构证书
 
 * 机构使用openssl命令生成机构私钥`agency.key`
@@ -79,4 +78,198 @@ FISCO BCOS的证书生成流程如下，用户也可以使用[企业部署工具
 
 ### 生成节点/SDK证书
 
-* 节点生成私钥`node.key`和证书请求文件`node.csr`，机构管理员使用私钥`agency.key`和证书请求文件`node.csr`为节点/SDK颁发证书
+* 节点生成私钥`node.key`和证书请求文件`node.csr`，机构管理员使用私钥`agency.key`和证书请求文件`node.csr`为节点/SDK颁发证书
+
+## 节点证书续期操作
+
+完成证书续期前推荐使用[证书检测脚本](../enterprise_tools/operation.md#handshake-failed)对证书进行检测。
+
+当证书过期时，需要用户使用对当前节点私钥从新签发证书，操作如下：
+
+假设用户证书过期的节点目录为`~/mynode`，节点目录入下：
+
+```bash
+mynode
+├── conf
+│   ├── ca.crt
+│   ├── group.1.genesis
+│   ├── group.1.ini
+│   ├── node.crt #节点证书过期，需要替换
+│   ├── node.key #节点私钥，证书续期需要使用
+│   └── node.nodeid
+├── config.ini
+├── scripts
+│   ├── load_new_groups.sh
+│   └── reload_whitelist.sh
+├── start.sh
+└── stop.sh
+```
+
+设用户机构证书目录为`~/myagency`，目录入下：
+
+```bash
+agency
+├── agency.crt #机构证书，证书续期需要使用
+├── agency.key #机构私钥，证书续期需要使用
+├── agency.srl
+├── ca.crt
+└── cert.cnf
+```
+
+续期操作如下：
+
+- 使用节点私钥生成证书请求文件 请将`~/mynode/node/conf/node.key`修改为你自己的节点私钥，将`~/myagency/cert.cnf`替换为自己的证书配置文件
+
+```bash
+openssl req -new -sha256 -subj "/CN=RenewalNode/O=fisco-bcos/OU=node" -key ~/mynode/node/conf/node.key -config ~/myagency/cert.cnf -out node.csr
+```
+
+操作完成后会在当前目录下生成证书请求文件`node.csr`。
+
+- 查看证书请求文件
+
+```bash
+cat node.csr
+```
+
+操作完成后显示如下：
+
+```bash
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBGzCBwgIBADA6MRQwEgYDVQQDDAtSZW5ld2FsTm9kZTETMBEGA1UECgwKZmlz
+Y28tYmNvczENMAsGA1UECwwEbm9kZTBWMBAGByqGSM49AgEGBSuBBAAKA0IABICU
+KLP9GFRF6bBz+pfHCl1ifqzqrPiVoSPtwubXx+NRAI502EENMpnLqaXWm+OyadKz
+PqUneVDQ6U+CvgY2IPygKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYD
+VR0PBAQDAgXgMAoGCCqGSM49BAMCA0gAMEUCIQDa8PzS1sCdk+rWgEsaOdvBnY+z
+NDw6LU44WHCtrW6iNQIgY7Ne4EpAvPGmMOXalJsvYm2Xy6Bm9MlL7NEIP9Y0ai0=
+-----END CERTIFICATE REQUEST-----
+```
+
+- 使用机构私钥和机构证书对证书请求文件node.csr签发新证书，请将`~/myagency/agency.key`修改为你自己的机构私钥，请将`~/myagency/agency.crt`修改为你自己的机构证书
+
+```bash
+openssl x509 -req -days 3650 -sha256 -in node.csr -CAkey ~/myagency/agency.key -CA ~/myagency/agency.crt -out node.crt -CAcreateserial -extensions v3_req -extfile ~/myagency/cert.cnf
+```
+
+成功会有如下显示
+
+```bash
+Signature ok
+subject=/CN=RenewalNode/O=fisco-bcos/OU=node
+Getting CA Private Key
+```
+
+操作完成后悔在当前目录下生成续期后的证书证书`node.crt`。
+
+- 查看节点新证书
+
+```bash
+cat ./node.crt
+```
+
+操作完成后显示如下：
+
+```bash
+-----BEGIN CERTIFICATE-----
+MIICQDCCASigAwIBAgIJALm++fKF6UmXMA0GCSqGSIb3DQEBCwUAMDcxDzANBgNV
+BAMMBmFnZW5jeTETMBEGA1UECgwKZmlzY28tYmNvczEPMA0GA1UECwwGYWdlbmN5
+MB4XDTE5MDkyNjEwMjEyNVoXDTI5MDkyMzEwMjEyNVowOjEUMBIGA1UEAwwLUmVu
+ZXdhbE5vZGUxEzARBgNVBAoMCmZpc2NvLWJjb3MxDTALBgNVBAsMBG5vZGUwVjAQ
+BgcqhkjOPQIBBgUrgQQACgNCAASAlCiz/RhURemwc/qXxwpdYn6s6qz4laEj7cLm
+18fjUQCOdNhBDTKZy6ml1pvjsmnSsz6lJ3lQ0OlPgr4GNiD8oxowGDAJBgNVHRME
+AjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEAVvLUYeOJBfr1bbwp
+E2H2QTb4phgcFGvrW5tqfvDvKaVGrSjJowZPKX+ruWFRQAZJBCc3/4M0Q1PYlWpB
+R5a9Tpc7ebmUVltY7/GqASlDExdt2nqSvLxOKWgE++FveCdJzOEGuuttTZxjWFhQ
+Yr9rPlKhzhEo2jM0lFIxdoCrG/WkcKmzJEyHdVwxLr2FOF9q9e9O9xyUkt2QRBGD
+T4dIOeLRK6V1pnNkbBNRYG+tGMq2nBUPCAKJbV1LnhaNNRRbE5z7I4JkRnLHea6P
+1VIiwnmbv9a3aM7lsnisPAz8PY5Ddmflo87UiL02J2UnQmq+gtAB9C9DUROGbSH5
+Q6CXDA==
+-----END CERTIFICATE-----
+```
+
+- 讲机构证书添加到节点证书末尾
+
+由于fisco-bcos使用三级证书结构，需要将机构证书和节点证书合并
+
+```bash
+cat ~/myagency/agency.crt >> ./node.crt
+```
+
+- 查看合并后的节点新证书
+
+```bash
+cat ./node.crt
+```
+
+操作完成后显示如下：
+
+```bash
+-----BEGIN CERTIFICATE-----
+MIICQDCCASigAwIBAgIJALm++fKF6UmXMA0GCSqGSIb3DQEBCwUAMDcxDzANBgNV
+BAMMBmFnZW5jeTETMBEGA1UECgwKZmlzY28tYmNvczEPMA0GA1UECwwGYWdlbmN5
+MB4XDTE5MDkyNjEwMjEyNVoXDTI5MDkyMzEwMjEyNVowOjEUMBIGA1UEAwwLUmVu
+ZXdhbE5vZGUxEzARBgNVBAoMCmZpc2NvLWJjb3MxDTALBgNVBAsMBG5vZGUwVjAQ
+BgcqhkjOPQIBBgUrgQQACgNCAASAlCiz/RhURemwc/qXxwpdYn6s6qz4laEj7cLm
+18fjUQCOdNhBDTKZy6ml1pvjsmnSsz6lJ3lQ0OlPgr4GNiD8oxowGDAJBgNVHRME
+AjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEAVvLUYeOJBfr1bbwp
+E2H2QTb4phgcFGvrW5tqfvDvKaVGrSjJowZPKX+ruWFRQAZJBCc3/4M0Q1PYlWpB
+R5a9Tpc7ebmUVltY7/GqASlDExdt2nqSvLxOKWgE++FveCdJzOEGuuttTZxjWFhQ
+Yr9rPlKhzhEo2jM0lFIxdoCrG/WkcKmzJEyHdVwxLr2FOF9q9e9O9xyUkt2QRBGD
+T4dIOeLRK6V1pnNkbBNRYG+tGMq2nBUPCAKJbV1LnhaNNRRbE5z7I4JkRnLHea6P
+1VIiwnmbv9a3aM7lsnisPAz8PY5Ddmflo87UiL02J2UnQmq+gtAB9C9DUROGbSH5
+Q6CXDA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIJAKK0/dNnUmlqMA0GCSqGSIb3DQEBCwUAMDUxDjAMBgNV
+BAMMBWNoYWluMRMwEQYDVQQKDApmaXNjby1iY29zMQ4wDAYDVQQLDAVjaGFpbjAe
+Fw0xOTA5MjYwOTU4NDFaFw0yOTA5MjMwOTU4NDFaMDcxDzANBgNVBAMMBmFnZW5j
+eTETMBEGA1UECgwKZmlzY28tYmNvczEPMA0GA1UECwwGYWdlbmN5MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPqz154aXw4t+dcRl+aOz3X7yy0PUymm
+DqMq3O7OeWXWYa8MWss5GBGWa2SL6puX/uryZJUUYcmSDwAo7Rsrf8zmbiHqouEC
+liy01IqM+9jE7/IywRpRZO7W/QNrv9vRXxDJsr120vs760aMRKWD6UCd7bOQ/m/H
+N8VC66r3cvcqey1q49idwOnhh5g80921MFlvu30Rire8kzckzUDr/SV3yt036tZs
+D+9l/jHRc/tWo38nkiPy3DIm2oOlrNeJ4+IHnXOfxQxOwsiAeFluxtCq/ZFh4pTL
+5lJZTo7bzRcORLOdz40svwDxJKyrMflhue0kGDC0WMExzzvx2oT14wIDAQABoxAw
+DjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBlXrFIPQPlKosm2q/O
+KktQA04Qh/y6w94Z4bHve0AqzTZn3/tf5q0e9C4f8F/Da+D+nV0GETLtEqRSHT+r
+CCAAm78qN9oXmfkt3LvK/YXLNCVB6SSXw8fQx+bfDbIVRB5ivkG1+pmmnh3po1zU
+zbrnfdSQi0ZV9MjIPsArjWwkE1i0GkXeiXov305iEX6J5pgu3AMe2RRMwyJiJ6ud
+PRPCsF5BN6QrtMubwEnyvyrrX0/drBMtHLMCgecLd/nYMyJ4P15L6UnxC8taQSjM
+rAtP3RZrBvBTwXKED0ge/hGIzrO9I1vjfCEuxV3DLlKfGVewuuboW2tYFWGfmrEX
+MB7w
+-----END CERTIFICATE-----
+```
+
+- 将生成的节点证书node.crt替换至节点的conf文件夹下
+
+```bash
+cp -f ./node.crt ~/mynode/node/conf
+```
+
+- 启动节点
+
+```bash
+bash ~/mynode/node/start.sh
+```
+
+- 查看节点共识
+
+```bash
+tail -f ~/mynode/log/log*  | grep +++
+```
+
+正常情况会不停输出`++++Generating seal`，表示共识正常。
+
+通过上述操作，完成了证书续期的操作。
+
+## 机构证书/链证书续期
+
+当整条链的证书均已过期时，需要从新对整条链的证书进行续期操作，续期证书的OpenSSL命令与节点续期操作基本相同，或查阅`build_chain.sh`脚本签发证书的操作，简要步骤如下：
+
+- 使用链私钥`ca.key`从新签发链证书`ca.crt`
+- 使用机构证书`agency.key`生成证书请求文件`agency.csr`
+- 使用链私钥`ca.key`对证书请求文件`agency.csr`签发得到机构证书`agency.crt`
+- 使用节点`node.key`生成证书请求文件`node.csr`
+- 使用机构私钥`agency.key`对证书请求文件`node.csr`签发得到节点证书`node.crt`
+- 将节点证书和机构证书拼接得到`node.crt`，拼接操作可以参考`节点证书续期操作`
+- 使用新生成的链证书`ca.crt`，节点证书`node.crt`替换所有节点conf目录下的证书
diff --git a/en/docs/faq.md b/en/docs/faq.md
@@ -173,3 +173,5 @@ A:
 ```bash
   $ pip install configparser
 ```
+
+<!-- // TODO: -->
diff --git a/en/docs/manual/certificates.md b/en/docs/manual/certificates.md
@@ -79,3 +79,5 @@ FISCO BCOS certificate generation process is as follows. Users can also use the
 ### Node/SDK certificate generation
 
 * The node generates the private key `node.key` and the certificate request file `node.csr`. The agency administrator uses the private key `agency.key` and the certificate request file `node.csr` to issue the certificate to the node/SDK.
+
+## TODO
-Original file line number
+Diff line change
@@ Expand Up / @@ -173,3 +173,5 @@ A: @@
     ```bash
       $ pip install configparser
     ```
+    <!-- // TODO: -->
Original file line number	Diff line number	Diff line change
Expand Up		@@ -79,3 +79,5 @@ FISCO BCOS certificate generation process is as follows. Users can also use the
		### Node/SDK certificate generation

		* The node generates the private key `node.key` and the certificate request file `node.csr`. The agency administrator uses the private key `agency.key` and the certificate request file `node.csr` to issue the certificate to the node/SDK.

		## TODO