Use this method if you want to use HTTPS (HTTP over TLS) to secure your Apache HTTP or Nginx web server, and you want to use a Certificate Authority (CA) to issue the SSL certificate. The CSR that is generated can be sent to a CA to request the issuance of a CA-signed SSL certificate. If your CA supports SHA-2, add the -sha256 option to sign the CSR with SHA-2.

Creating a 2048-bit private key (domain.key) and a CSR (domain.csr) from scratch:

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Command Explanation:

1. -newkey rsa: 2048 option specifies that the key should be 2048-bit, generated using the RSA algorithm.
2. -nodes option specifies that the private key should not be encrypted with a pass phrase.
3. -new option, which is not included here but implied, indicates that a CSR is being generated.

After running the above command answer the CSR information

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company
Organizational Unit Name (eg, section) []:Technology Division
Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.com
Email Address []:

Non interactively answer CSR

-subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=examplebrooklyn.com"

This command creates a new CSR (domain.csr) based on an existing private key (domain.key):

openssl req -key domain.key -new -out domain.csr

Answer the CSR information prompt to complete the process.

1. -key option specifies an existing private key (domain.key) that will be used to generate a new CSR.
2. -new option indicates that a CSR is being generated.

This command creates a new CSR (domain.csr) based on an existing certificate (domain.crt) and private key (domain.key):

openssl x509 -in domain.crt -signkey domain.key -x509toreq -out domain.csr

The -x509toreq option specifies that you are using an X509 certificate to make a CSR.

This command creates a 2048-bit private key (domain.key) and a self-signed certificate (domain.crt) from scratch:

openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt

Answer the CSR information prompt to complete the process.

1. -x509 option tells req to create a self-signed cerificate.
2. -days 365 option specifies that the certificate will be valid for 365 days. A temporary CSR is generated to gather information to associate with the certificate.

This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key):

openssl req -key domain.key -new -x509 -days 365 -out domain.crt

Answer the CSR information prompt to complete the process.

1. -x509 option tells req to create a self-signed cerificate.
2. 365 option specifies that the certificate will be valid for 365 days.
3. -new option enables the CSR information prompt.

This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key) and (domain.csr):

openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt

Certificate and CSR files are encoded in PEM format, which is not readily human-readable.

This section covers OpenSSL commands that will output the actual entries of PEM-encoded files.

This command allows you to view and verify the contents of a CSR (domain.csr) in plain text:

openssl req -text -noout -verify -in domain.csr

This command allows you to view the contents of a certificate (domain.crt) in plain text:

openssl x509 -text -noout -in domain.crt

Use this command to verify that a certificate (domain.crt) was signed by a specific CA certificate (ca.crt):

openssl verify -verbose -CAFile ca.crt domain.crt

This section covers OpenSSL commands that are specific to creating and verifying private keys.

Use this command to create a password-protected, 2048-bit private key (domain.key):

openssl genrsa -des3 -out domain.key 2048

Enter a password when prompted to complete the process.

Use this command to check that a private key (domain.key) is a valid key:

openssl rsa -check -in domain.key

If your private key is encrypted, you will be prompted for its pass phrase. Upon success, the unencrypted key will be output on the terminal.

Use these commands to verify if a private key (domain.key) matches a certificate (domain.crt) and CSR (domain.csr):

openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5

If the output of each command is identical there is an extremely high probability that the private key, certificate, and CSR are related.

This takes an unencrypted private key (unencrypted.key) and outputs an encrypted version of it (encrypted.key):

openssl rsa -des3 -in unencrypted.key -out encrypted.key

Enter your desired pass phrase, to encrypt the private key with.

This takes an encrypted private key (encrypted.key) and outputs a decrypted version of it (decrypted.key):

openssl rsa -in encrypted.key -out decrypted.key

Enter the pass phrase for the encrypted key when prompted.

Reference link