First, a private key must be generated. In the following example, we generated an RSA key. However, other algorithms can also be used:

$ openssl genrsa -aes128 -out private.pem
Enter PEM pass phrase: XXXXXXXXXX
Verifying - Enter PEM pass phrase: XXXXXXXXXX
$

The private key should be generated with encryption (we selected AES128 for encryption here). The key can then only be used with the specified passphrase!

Note: Using the “-passout” option, the passphrase can also be specified on the command line, but then it appears in plain text, e.g. in the output of “ps -ef“!

Using the generated private key, a Certificate Signing Request (CSR) can now be generated:

$ openssl req -new -key private.pem -out cert.csr
Enter pass phrase for private.key: XXXXXXXXXX
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Munich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PowerCampus 01
Organizational Unit Name (eg, section) []:Development
Common Name (e.g. server FQDN or YOUR name) []:powercampus.de  
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$

With the generated CSR file cert.csr, you can then purchase an official certificate from a certificate provider, for example. You will receive a certificate signed by the provider.

Alternatively, a self-signed certificate can be generated:

$ openssl x509 -req -days 3650 -in cert.csr -signkey private.pem -out cert.pem
Enter pass phrase for private.key: XXXXXXXXXX
Certificate request self-signature ok
subject=C = DE, ST = Bavaria, L = Munich, O = PowerCampus 01, OU = Development, CN = powercampus.de
$

Note: The certificate is generated in PEM format and saved in the file cert.pem.

If the certificate is only required for your own use, a self-signed certificate may be sufficient. If you deliver your own software in BFF format, you should use an official certificate to sign the file sets. Then, the customer has the opportunity to verify the certificate.

If the public key is explicitly required, it can either be extracted from the certificate:

$ openssl x509 -in cert.pem -pubkey -noout >public.pem
$

or it can be extracted from the private key:

$ openssl rsa -in private.pem -pubout >public.pem
Enter pass phrase for private.key: XXXXXXXXXX
writing RSA key
$

If you use the certificate to extract, you do not need a passphrase.