First we create a key-pair in order to be able to digitally sign our own certificate request:
openssl genrsa -rand /path_to_bigfile:/path_to_otherbigfile -out private.key 2048
-rand tells openssl to use to listed files in order to randomize the generated key. Note that a colon (:) seperates the path names.
-out specifies the file where to store the generated key and last but not least 2048 are the amount of bits we want our key to have. The default is 1024.
Now that are key-pair is generated we are ready to create our certificate request and sign it:
openssl req -x509 -key private.key -days 3000 -new > mycertificate.crt
Normally we would have to do this in two steps, first create the certificate request, and then sign it with another openssl command. However, the -x509 option tells openssl to immediately output a certificate instead of a certificate request. In order to do so, we must specify the key openssl should use to sign our certificate, using the -key option. -days specifies how long the certificate should be valid.
After issuing the command we’ll be asked some questions such as country, province, state, common name, etc.
If you are planning on using the signed certificate for a HTTPS website, make sure common name is the same as the website’s hostname, if not users will receive an ugly error stating that the certificate does not match the websites hostname.