You must hae the CA configured properly, this no not the scope of this post.
For self-signed certificate
The self-signed certficate is in the <hostname>.crt, the private key is in the <hostname>.key
openssl req -x509 -newkey rsa:4096 -keyout <hostname>.key -out <hostname>.crt -days 365For CSR (Client Certificate Request)
The request is in the <hostname>.csr, the private key is in the <hostname>.key.
-nodes option will turn off the password request, which is a Bad Idea for personal certificates and is sometimes used for server sertificates.
openssl req -newkey rsa:4096 -sha256 -nodes -out <hostname>.csr -outform PEM
mv mv privkey.pem <hostname>.pem
To generate a DH key
Make sure to adjust the Apache configuration accordingly, https://httpd.apache.org/docs/trunk/ssl/ssl_faq.html and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048To sign a CSR
The request is in the <hostname>.csr, the signed certificates is in the <hostname>.crt.
openssl ca -policy signing_policy -extensions signing_req -out <hostname>.crt -infiles <hostname>.csrTo verify a certificate or request
The request is in the <hostname>.csr, the certificates is in the <hostname>.crt.
openssl x509 -in <hostname>.crt -text -noout
openssl req -text -noout -verify -in <hostname>.csr