OpenSSL Certificate Creation Basics

How to create certificates with OpenSSL

First, create an RSA private key:

openssl genrsa -out ca.key 1024

The key above won't be encrypted. Often you won't want an encrypted key, instead you'll want to put it somewhere safe, where only root can read it. Alternatively, if you wan to encrypt the key, use the version below.
openssl -des3 -out ca.key 1024

If you're hoping for your encryption to be secure, then forget des3 and use aes256...
openssl -aes256 -out ca.key 2048

The default key-length is 512, in the first two examples we specify 1024. Lately, 2048 is more appropriate if you're hoping for security that's hard to break.

Then, generate a certificate signing request using your new key:

openssl req -new -key ca.key -out ca.csr

You will be prompted for information.

Then, you can either send your .csr off to a certificate authority for them to sign properly, or you can self-sign the key:

openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

The self-signed certificate can be used directly in most *nix applications. However, for Windows it's not a good approach, but if you're making keys under windows, you use makecert not openssl.

If you want to install a certificate as a genuine Certificate Authority (CA) and use it to sign other certificates, you'll need to generate a Certificate Revocation List (CRL) as well. Then you can distribute the CA and CRL, and all the keys signed with the CA will work where you have the CA and CRL installed. This is a useful approach when you want to generate a lot of keys and use them for individual user authentication, such as SSH logins. In this case you do not distribute the key; you keep the key locked up safe and encrypted; it's not needed for signature validation, only the CA and CRL.