Corda 网络中的证书如何由证书颁发机构签名?
How can the certificates inside a Corda network be signed by Certificate Authority?
Corda 网络中的证书如何由证书颁发机构签名?是否有明确的流程来管理 Corda 网络中每个节点和参与者的证书?
要加入 Corda 网络,节点需要从他们想要连接的网络的 Identity Manager 获得证书。在 Corda Enterprise 的 documentation 中有描述:
To connect to a compatibility zone you need to register with its
certificate signing authority (or doorman) by submitting a certificate
signing request (CSR) to obtain a valid identity for the zone. This
process is only necessary when the node connects to the network for
the first time, or when the certificate expires. You could do this out
of band, for instance via email or a web form, but there’s also a
simple request/response utility built into the node.
Before using this utility, you must first have received the trust
store file containing the root certificate from the zone operator. For
high security zones, this might be delivered physically.
所以,首先节点运营商需要在线下与网络运营商取得联系,并提供其X.509信息。网络运营商将为节点提供:
truststore.jks, the network/zone operator’s root certificate in keystore with a locally configurable password as protection against
certain attacks
此时节点可以使用节点实用程序向 Identity Manager 发出 CSR(证书签名请求)以获取节点证书并接收以下内容:
nodekeystore.jks, which stores the node’s identity key pairs and certificates
请注意,这也可以由网络运营商直接提供,我想这取决于他们的政策。 documentation.
中也有描述
节点也可以自己创建sslkeystore.jks,
which stores the node’s TLS key pair and certificate
例如,可用于将外部 RPC 客户端连接到节点。
节点证书过期,可以被Identity Manager吊销,所以在这种情况下需要进行其他特定请求来获取新证书。
进一步阅读:
Corda 网络中的证书如何由证书颁发机构签名?是否有明确的流程来管理 Corda 网络中每个节点和参与者的证书?
要加入 Corda 网络,节点需要从他们想要连接的网络的 Identity Manager 获得证书。在 Corda Enterprise 的 documentation 中有描述:
To connect to a compatibility zone you need to register with its certificate signing authority (or doorman) by submitting a certificate signing request (CSR) to obtain a valid identity for the zone. This process is only necessary when the node connects to the network for the first time, or when the certificate expires. You could do this out of band, for instance via email or a web form, but there’s also a simple request/response utility built into the node.
Before using this utility, you must first have received the trust store file containing the root certificate from the zone operator. For high security zones, this might be delivered physically.
所以,首先节点运营商需要在线下与网络运营商取得联系,并提供其X.509信息。网络运营商将为节点提供:
truststore.jks, the network/zone operator’s root certificate in keystore with a locally configurable password as protection against certain attacks
此时节点可以使用节点实用程序向 Identity Manager 发出 CSR(证书签名请求)以获取节点证书并接收以下内容:
nodekeystore.jks, which stores the node’s identity key pairs and certificates
请注意,这也可以由网络运营商直接提供,我想这取决于他们的政策。 documentation.
中也有描述节点也可以自己创建sslkeystore.jks,
which stores the node’s TLS key pair and certificate
例如,可用于将外部 RPC 客户端连接到节点。
节点证书过期,可以被Identity Manager吊销,所以在这种情况下需要进行其他特定请求来获取新证书。
进一步阅读: