This isn’t rocket science, but I have to do this so rarely that I end up having to Google it due to lack of familiarity.
Let’s say you want to build your own self-signed certs. Here is how you go about doing that.
First we build the private key:
$ openssl genrsa -des3 -out server.key 2048
This above action will require you to set a password on the key. For most use cases (say, sticking it on nginx), you’ll need the password removed. Do so like this:
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
Next, create the CSR:
$ openssl req -new -key server.key -out server.csr
Finally, build the cert from the CSR:
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
There you go. Easy peasy.