The genrsa command generates an RSA private key.
openssl genrsa -des3 -out privkey.key 2048
des3 is the cypher used to encrypt the key, this triggers a prompt for the password.
2048 is the size in bits of the key to be generated.
The req command primarily creates and processes certificate requests in PKCS#10 format.
openssl req -key privkey.key -out ca.crt -new -x509
This command takes the private key and creates a public certificate from it, this will prompt you for the certificate information.
If you look at the properties then you will see that the basic information is there, but not the extended information that you normally see. This is because the extended information is designated by the signing authority.
The x509 utility can be used to sign certificates and requests.
openssl x509 -x509toreq -in ca.crt -out ca.req -sha256 -signkey privkey.key
x509toreq converts the public certificate into a certificate request (aka certificate signing request or CSR).
sha256 specified that the signature algorithm should also be 256 bytes in size (if omitted then default is sha1).
Third party authorities generally only expect you to provide them the contents of the bottom section in the file, between (and including) the tags:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
SKIP (unless you plan to use a self-signed certificate)
The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed.
openssl pkcs12 -export -des -macalg sha256 -out ca.p12 -inkey privkey.key -in ca.crt
This command takes in the private key and the public certificate then wraps them together into the format that is most commonly used. The resultant file is what is generally meant when referring to the 'private key' or 'private certificate' because while the privkey.key file is raw private key this file does contain the contents of that file as well as the contents of the public certificate and this is the most commonly used format for the private key.
des indicates the cypher used to encrypt this file, you will be prompted for the password to the key file and then a new password for the p12 (aka pfx) file (not required, may be blank but should only be left blank if your server requires it to be).
macalg sha256 specifies that the MAC digest algorithm should be 256 bytes in size (if omitted then default is sha1).
SKIP (unless you plan to use a self-signed certificate)
This set of commands will generate a pair of files used in the command to sign the certifciate.
echo %RANDOM% > file.srl
echo [ v3_req ] > client.cfg
echo basicConstraints = CA:FALSE >> client.cfg
echo extendedKeyUsage = serverAuth, clientAuth >> client.cfg
SKIP (unless you plan to use a self-signed certificate)
The random number placed in the serial file is sometimes too large, if you get an error then make it a smaller.
openssl x509 -req -in ca.req -CA ca.crt -CAkey privkey.key -CAserial file.srl -out client.crt -extensions v3_req -extensions v3_req -extfile client.cfg
This command uses your p12 to sign it's own certificate request. While a certificate is not signed by an authority is commonly referred to as 'self-signed' because it would be trusted on it's own face, the result of this command is a certificate that is in fact actually signed and that signer is itself. The purpose of which is to specify those extended properties that are designated as part of the signing process.
Compare the ca.crt file properties to the client.crt file to see what has been added.
DO NOT SKIP
If signed by a trusted third party, the file they provide will be used in place of client.crt
openssl pkcs12 -export -des -out client.p12 -inkey privkey.key -in client.crt
This will recombined the signed public certificate with the raw private key into a signed p12 file.
This last command is intended to clean up the files that were created and are no longer required (not advisable to run directly in the openssl folder).
del ca.* priv* file.srl client.cfg