- Generate a keypair.
$ openssl genrsa -out example.key 4096
- Generate a certificate request for the public key.
$ openssl req -new -key example.key -subj /CN=example.com -out example.csr
- Sign the request with the private key. The expiry date is set to 100 years into the future.
$ openssl x509 -in example.csr -out example.crt -req -signkey example.key -days 36525
- If the certificate is intended for https, you should provide one or more subject alternative names, one of which must match the subject’s RDN, and set the expiry date to no less than 30 and no more than 366 days into the future.
$ echo subjectAltName=DNS:example.com | openssl x509 -extfile - \
-in example.csr -out example.crt -req -signkey example.key -days 365