Skip to content

sign-ca · 配置

本章数据全部取自 .env-example / docker-compose.yaml / conf/fabric-ca-server-config.yaml / kms-conf/sign-ca.yaml / deploy/multi-ca/.env.example 的实际写法。

.env(单 CA 部署)

来源:README.md:34-39.env-example

变量用途
IMAGE_URLsign-ca 镜像地址
SIGN_KMS_IMAGEsign-kms 镜像地址
FABRIC_CA_REFfabric-ca 源码版本(仅 build 用)
KMS_AUTH_SECRETsign-kms JWT 签名密钥
KMS_LABELsign-kms token label(第一次启 kms 后从 UI 拿)
KMS_PIN与 label 对应的 JWT

docker-compose.yaml 直接读:

  • ${SIGN_KMS_IMAGE}kms 镜像(第 11 行)
  • ${IMAGE_URL}ca 镜像(第 26 行)
  • ${KMS_LABEL} / ${KMS_PIN} → 注入到 ca 服务 env(第 37-38 行)

WARNING

KMS_AUTH_SECRETdocker-compose.yaml:19 硬编码为 1234567890111223,不是从 .env 读取。生产部署需要修改。

conf/fabric-ca-server-config.yaml

来源:conf/fabric-ca-server-config.yaml,279 行(末行 prefix: server 无尾随换行符,wc -l 报 278)。挂载到 ca 容器的 /etc/hyperledger/fabric-ca-server/docker-compose.yaml:40)。

顶层段索引

起始行
version8
port14
debug17
crlsizelimit20
tls25-35
ca40-50
bccsp55-89
csr94-110
registry115-133
db138-146
affiliations151-156
signing161-182
crl187-190
intermediate195-209
ldap214-230(注释掉)
operations235-257
metrics262-279

关键字段实测值

字段行号
version1.5.168
port705414
debugfalse17
crlsizelimit51200020
tls.enabledfalse27
ca.namesign-ca42
ca.certfile / keyfile / chainfile44-46
bccsp.defaultPKCS1158
bccsp.pkcs11.library/usr/local/lib/libkms_pkcs11.so70
bccsp.pkcs11.labelKMS_TK73
bccsp.pkcs11.pin空(由 env 覆盖)76
bccsp.pkcs11.hashSHA279
bccsp.pkcs11.security25682
bccsp.pkcs11.softwareverifyfalse86
bccsp.pkcs11.immutablefalse89
csr.cnsign-ca
csr.keyrequest.algo / sizeecdsa / 256
csr.ca.expiry131400h
csr.ca.pathlength1
registry.maxenrollments-1118
registry.identities[0].name / pass / typeadmin / adminpw / client121-133
db.type / datasourcesqlite3 / fabric-ca-server.db138-146
signing.default.expiry8760h161-182
signing.profiles.ca.expiry43800h同上
crl.expiry24h187-190
operations.listenAddress0.0.0.0:9443237
operations.tls.enabledfalse242
metrics.providerprometheus264
metrics.statsd.network / address / writeInterval / prefixudp / 127.0.0.1:8125 / 10s / server269-279

env 覆盖

来源:README.md:102-111docker-compose.yaml:37-38

YAML 路径env 变量注入来源
bccsp.pkcs11.labelFABRIC_CA_SERVER_BCCSP_PKCS11_LABEL${KMS_LABEL}
bccsp.pkcs11.pinFABRIC_CA_SERVER_BCCSP_PKCS11_PIN${KMS_PIN}

通用规则:FABRIC_CA_SERVER_<UPPER_SNAKE_PATH> 可覆盖任意 yaml 键(README.md:111)。

容器内额外 env:SIGN_KMS_ENDPOINT=kms:9200docker-compose.yaml:33),由 libkms_pkcs11.so 读取。

启动参数:fabric-ca-server start --idemix.curve gurvy.Bn254Dockerfile:93docker-compose.yaml 不覆盖 CMD)。

kms-conf/sign-ca.yaml

来源:kms-conf/sign-ca.yaml,33 行。挂载到 kms 容器的 /sign-kms/confdocker-compose.yaml:21)。

yaml
server:
  addr: 0.0.0.0:9200
  http_addr: 0.0.0.0:9201
  timeout: 60s
  https: false
  web_dist_path: ../../web/dist

data:
  database:
    driver: sqlite3
    source: 'file:./data/kms.db?cache=shared&_fk=1'

observability:
  otlp_endpoint: 10.128.0.6:4317
  insecure: true
  metrics:
    enable: false
  tracing:
    enable: false
    sample_ratio: 1.0
  logging:
    enable: false

hsm:
  providers:
    - id: softhsm-dev
      name: SoftHSM (Dev)
      type: soft
      library: /usr/lib/softhsm/libsofthsm2.so
      enabled: true

注意 observability.metrics.enable / tracing.enable / logging.enable 默认均为 false

多 CA 部署(deploy/multi-ca/

.env

来源:deploy/multi-ca/.env.example,29 行。

变量行号
SIGN_KMS_IMAGE14
IMAGE_URL15
KMS_AUTH_SECRET18
KMS_PIN_BANK123
POSTGRES_SUPERUSER_PASSWORD26
PG_PASSWORD_BANK129

docker-compose.yaml

来源:deploy/multi-ca/docker-compose.yaml,117 行。

Service关键字段
kmsimage ${SIGN_KMS_IMAGE}、env KMS_AUTH_SECRET=${KMS_AUTH_SECRET}、volumes 与单 CA 版同名(kms-tokens / kms-data 命名卷 + kms-conf bind),但此处 kms-conf bind 路径为 ../../kms-conf:/sign-kms/conf(相对 deploy/multi-ca/,单 CA 版为 ./kms-conf)(第 29-41 行)
postgresimage postgres:18.3-alpine3.23、ports 5432:5432、env POSTGRES_USER=postgres / POSTGRES_DB=postgres / POSTGRES_PASSWORD=${POSTGRES_SUPERUSER_PASSWORD}、healthcheck pg_isready -U postgres(第 43-59 行)
pg-initimage postgres:18.3-alpine3.23profiles: ["init"]、entrypoint psql -v PG_PASSWORD_BANK1=${PG_PASSWORD_BANK1} -f /init.sql(第 61-81 行)
ca-bank1image ${IMAGE_URL}、ports 7054:7054 / 9443:9443、env SIGN_KMS_ENDPOINT=kms:9200 / FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=${KMS_PIN_BANK1} / FABRIC_CA_SERVER_DB_DATASOURCE=host=postgres port=5432 user=ca_bank1_app password=${PG_PASSWORD_BANK1} dbname=sign_ca_bank1 sslmode=disable、command fabric-ca-server start --config /etc/hyperledger/fabric-ca-server/sign-ca.yaml --idemix.curve gurvy.Bn254depends_on: postgres(service_healthy), kms(service_started)(第 83-112 行)

注释中的 bootstrap 顺序

来源:deploy/multi-ca/docker-compose.yaml:1-26

  1. .env
  2. docker compose up -d kms postgres
  3. 浏览器开 :9201 创建 partition + JWT
  4. JWT 写入 .env
  5. docker compose run --rm pg-init
  6. 预放 intermediate CA cert 到 ./bank1/ca-cert.pem
  7. docker compose up -d ca-bank1

[未核]

bank1/sign-ca.yamlpostgres/init.sql 的具体内容、root/README.md 的仪式流程文字 —— 未读,请直接看仓库内文件。