This is take straight from http://devsec.org/info/ssl-cert.html. I’m getting it on my blog, as a reference to myself, so I can make a key pair quickly in the future.
At startup, the server automatically generates RSA private/public key-pair files in the data directory if all of these conditions are true: The sha256passwordautogeneratersakeys system variable is enabled; no RSA options are specified; the RSA files are missing from the data directory. These key-pair files enable secure password exchange using RSA over unencrypted connections for accounts. While Encrypting a File with a Password from the Command Line using OpenSSL is very useful in its own right, the real power of the OpenSSL library is its ability to support the use of public key cryptograph for encrypting or validating data in an unattended manner (where the password is not required to encrypt) is done with public keys.
Make a new ssl private key:
* Generate a new unencrypted rsa private key in PEM format:
Jul 03, 2019 Demonstration of using OpenSSL to create RSA public/private key pair, sign and encrypt messages using those keys and then decrypt and verify the received messages. Commands used: openssl. With a given key pair, data that is encrypted with one key can only be decrypted by the other. This is useful for encrypting data between a large number of parties; only one key pair per person need exist. RSA is widely used across the internet with HTTPS. To generate a key pair, select the bit length of your key pair and click Generate key. Apr 15, 2020 The ability to create, manage, and use public and private key pairs with KMS enables you to perform digital signing operations using RSA and Elliptic Curve (ECC) keys. You can also perform public key encryption or decryption operations using RSA keys. For example, you can use ECC or RSA private keys to generate digital signatures.
openssl genrsa -out privkey.pem 2048
You can create an encrypted key by adding the -des3 option.
#
To make a self-signed certificate:
* Create a certificate signing request (CSR) using your rsa private key:
openssl req -new -key privkey.pem -out certreq.csr
( This is also the type of CSR you would create to send to a root CA for them to sign for you. )
* Self-sign your CSR with your own private key:
openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem