These commands are needed every time you want to generate a new certificate signing request to give to an authority in order for them to generate and sign a certificate for you.
https://letsencrypt.org/ solves a lot of the pain involved with SSL certs, but sometimes you still need to go the "old school" route. I constantly forget how this stuff works, so I collected the most important commands (and what they do) here for easy copy & paste.
This is unencrypted and must be kept private.
$ openssl genrsa -out example.com.key 2048
$ openssl req -new -sha256 -key example.com.key -out example.com.csr
$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
This allows you to check the information enclosed in a CSR.
$ openssl req -noout -text -in example.com.csr
http://blog.ivanristic.com/2013/06/ssl-labs-deploying-forward-secrecy.html
$ openssl dhparam -out dhparam.pem 2048
Use this to test SSL config loally, but realize that these certs will not be trusted by browsers by default. You need to manually add it to the OS trust store to get a green lock.
$ openssl req -x509 -newkey -sha256 rsa:2048 -keyout example.com.key -out example.com.crt -days 365 -nodes
-nodes
means that the private key will be unencrypted.
I would suggest to add also SSL cert check/dump
PEM
PKCS12