先说一句，操蛋的比赛，过年回不了家不说，还非得用debian

• 说明：此次试验环境为虚拟机
• vmware14
• WSC-D-CAIGARY-debian9（CA服务端）
• WSC-D-SAOPAUBI-debian9（Apache服务端）
• Openssl 创建私有CA

1，服务端安装openssl

root@wsc-d-caigary:/home/wang# apt-get install openssl

2，创建CA所需要的文件
先进入目录/etc/ssl (PS:debian操蛋在这一点，不像centos是在/etc/pki/CA这个目录)

root@wsc-d-caigary:~# cd /etc/ssl/
root@wsc-d-caigary:/etc/ssl# pwd
/etc/ssl
root@wsc-d-caigary:/etc/ssl# 
root@wsc-d-caigary:/etc/ssl# touch index.txt
root@wsc-d-caigary:/etc/ssl# echo 01 > serial
root@wsc-d-caigary:/etc/ssl# 
root@wsc-d-caigary:/etc/ssl# ls -l
总用量 40
drwxr-xr-x 3 root root     20480 2月   5 20:36 certs
-rw-r--r-- 1 root root         0 2月   6 15:06 index.txt
-rw-r--r-- 1 root root     10771 2月   6 01:51 openssl.cnf
drwx--x--- 2 root ssl-cert  4096 2月   6 01:56 private
-rw-r--r-- 1 root root         3 2月   6 15:06 serial
root@wsc-d-caigary:/etc/ssl# 

3，给CA创建私匙

root@wsc-d-caigary:/etc/ssl# (umask 066;openssl genrsa -out ./private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..............................+++
......................................................+++
e is 65537 (0x010001)
root@wsc-d-caigary:/etc/ssl# 

4，给CA创建自签名证书

root@wsc-d-caigary:/etc/ssl# openssl req -new -x509 -key ./private/cakey.pem -days 7300 -out ./cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:ningbo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
Organizational Unit Name (eg, section) []:mdzz
Common Name (e.g. server FQDN or YOUR name) []:mdzz
Email Address []:mdzz@mdzz
root@wsc-d-caigary:/etc/ssl# 

5，此时服务端已经成了两个文件
第一个：/etc/ssl/private/cakey.pem
第二个：/etc/ssl/cacert.pem

6，客户端生成私匙

root@wsc-d-saopaulo:/etc/ssl# (umask 066;openssl genrsa -out apache.prikey 2048)
Generating RSA private key, 2048 bit long modulus
................................................................+++
.........+++
e is 65537 (0x010001)
root@wsc-d-saopaulo:/etc/ssl# 

7，客户端生成证书请求文件（PS:两次填写应该一致）

root@wsc-d-saopaulo:/etc/ssl# openssl req -new -key ./apache.prikey -days 365 -out apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:ningbo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
Organizational Unit Name (eg, section) []:mdzz
Common Name (e.g. server FQDN or YOUR name) []:mdzz
Email Address []:mdzz@mdzz

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:mdzz
root@wsc-d-saopaulo:/etc/ssl# ls -l
总用量 44
-rw-r--r-- 1 root root      1082 2月   6 15:21 apache.csr
-rw------- 1 root root      1679 2月   6 15:19 apache.prikey
drwxr-xr-x 3 root root     20480 2月   5 20:36 certs
-rw-r--r-- 1 root root     10771 11月  2 19:29 openssl.cnf
drwx--x--- 2 root ssl-cert  4096 2月   6 01:36 private
root@wsc-d-saopaulo:/etc/ssl# 

8，将服务端的证书申请文件（apache.csr）上传到服务端（PS：因为我是虚拟就，所以我是在服务端从客户端下载下来的，scp上传命令这里不做解释）

root@wsc-d-caigary:/etc/ssl# scp wang@192.168.157.163:/etc/ssl/apache.csr /etc/ssl/
The authenticity of host '192.168.157.163 (192.168.157.163)' can't be established.
ECDSA key fingerprint is SHA256:+ZcaFJbjwPO1aQV6MrVCo3i547D3m4S/bHlWx9oO11Y.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.157.163' (ECDSA) to the list of known hosts.
wang@192.168.157.163's password: 
apache.csr                        100% 1082   701.8KB/s   00:00    
root@wsc-d-caigary:/etc/ssl# 

9，此时客户端生成了两个文件
第一个：/etc/ssl/apache.prikey
第二个：/etc/ssl/apahce.csr
10，此时服务端有三个文件
第一个：/etc/ssl/private/cakey.pem
第二个：/etc/ssl/cacert.pem
第三个：/etc/ssl/apache/csr

11，服务端签署证书

root@wsc-d-caigary:/etc/ssl# openssl ca -in ./apache.csr -out ./apache.crt -days 365
Using configuration from /usr/lib/ssl/openssl.cnf
ca: /etc/ssl/newcerts is not a directory
/etc/ssl/newcerts: No such file or directory
root@wsc-d-caigary:/etc/ssl# 

有报错信息，我们看下报错信息
意思是找不到newcerts这个文件夹
还记得我们之前的两步操作

touch index.txt
echo 01 > serial

现在新建newcerts目录，并将上面的两个文件复制到newcert

root@wsc-d-caigary:/etc/ssl# mkdir newcerts
root@wsc-d-caigary:/etc/ssl# cp index.txt ./newcerts/index.txt
root@wsc-d-caigary:/etc/ssl# cp serial ./newcerts/serial
root@wsc-d-caigary:/etc/ssl# cd newcerts/
root@wsc-d-caigary:/etc/ssl/newcerts# ls -l
总用量 4
-rw-r--r-- 1 root root 0 2月   6 15:33 index.txt
-rw-r--r-- 1 root root 3 2月   6 15:33 serial
root@wsc-d-caigary:/etc/ssl/newcerts# 

12，重新签署,两次确认，签署成功

root@wsc-d-caigary:/etc/ssl# openssl ca -in ./apache.csr -out ./apache.crt -days 365
Using configuration from /usr/lib/ssl/openssl.cnf
Can't open /etc/ssl/index.txt.attr for reading, No such file or directory
140278204798208:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/etc/ssl/index.txt.attr','r')
140278204798208:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb  6 07:35:49 2018 GMT
            Not After : Feb  6 07:35:49 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = zhejiang
            organizationName          = mdzz
            organizationalUnitName    = mdzz
            commonName                = mdzz
            emailAddress              = mdzz@mdzz
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2D:E1:7B:26:65:A7:E3:93:1E:E0:D2:5D:24:CF:A2:61:49:5A:93:BB
            X509v3 Authority Key Identifier: 
                keyid:96:BA:95:A7:AA:15:0D:CC:40:24:A8:D5:FC:60:E7:06:AA:6C:A5:20

Certificate is to be certified until Feb  6 07:35:49 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@wsc-d-caigary:/etc/ssl#