You must hae the CA configured properly, this no not the scope of this post.

For self-signed certificate

The self-signed certficate is in the <hostname>.crt, the private key is in the <hostname>.key

openssl req -x509 -newkey rsa:4096 -keyout <hostname>.key -out <hostname>.crt -days 365

For CSR (Client Certificate Request)

The request is in the <hostname>.csr, the private key is in the <hostname>.key.

-nodes option will turn off the password request, which is a Bad Idea for personal certificates and is sometimes used for server sertificates.

openssl req -newkey rsa:4096 -sha256 -nodes -out <hostname>.csr -outform PEM

mv mv privkey.pem <hostname>.pem

To generate a DH key

Make sure to adjust the Apache configuration accordingly, https://httpd.apache.org/docs/trunk/ssl/ssl_faq.html and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

To sign a CSR

The request is in the <hostname>.csr, the signed certificates is in the <hostname>.crt.

openssl ca -policy signing_policy -extensions signing_req -out <hostname>.crt -infiles <hostname>.csr

To verify a certificate or request

The request is in the <hostname>.csr, the certificates is in the <hostname>.crt.

openssl x509 -in <hostname>.crt -text -noout
openssl req -text -noout -verify -in <hostname>.csr