apt-get install openssl yum install openssl
This assumes you've already created a private key, such as example.com.key. If not, refer to our article on creating a private key.
A confg file is not required to be able to create a new certificate. However, if you have not created a config file, you will be prompted for input when creating the public certificate. If you want to avoid being prompted for values, refer to our article on creating a config file.
Public Certificate (aka X.509)
The public certificate is what is provided to the clients. There is a mathmatical relationship between the public certificate and private key. Both are needed in order for encryption to work.
Interactive Prompt Method
If you have not created a config file, then you will prompted for values during the creation of the public certificate. In this example, a CA certificate named rootCA.pem will be created. Both .crt and .pem are valid file extensions for the certfificate.
openssl req -new -x509 -days 365 -sha512 -key rootCA.key -out rootCA.pem
Config File Method
If you have created a config file, then you will not be prompted for values during the creation of the public certificate. In this scenario, you would use the -config option followed by the config file. The CA certificate will contain the values specified in the config file. Both .crt and .pem are valid file extensions for the certfificate.
openssl req -new -x509 -days 365 -sha512 -key rootCA.key -out rootCA.pem -config rootCA.config
Append public certificates to the root certificate
Numerous "child" public certificates can be appended to a single root CA.
Create a "child" public certificate in the root CA.
openssl x509 -req -CAcreateserial -sha256 -days 365 -in rootCA.csr -CA rootCA.pem -CAkey rootCA.key -out rootCA.crt