To generate self-signed root certificate, use OpenSSL as follows: `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem` This command also creates a key at the same time. Argument reference: - `req` - openssl request - `-x509` - create certificate in x509 format, that is commonly used for TLS/HTTPS. It only contains certificate itself. Data is encoded with base64. - `-newkey rsa:2048` - generate new RSA key of 2048 bits - `-keyout` - save generated key to specified file and location - `-out` - save generated certificate to specified file and location When command is executed, OpenSSL will ask for passphrase. Key will not be written until passphrase is provided. Once provided, key will be DES encrypted and saved to file. DES encryption can be disabled using `-nodes` flag. Extra arguments can be provided using config file. `openssl req -new -newkey rsa:2048 -config ssl.cnf -keyout cert.key -out cert.csr -nodes` ### See also 1. [[OpenSSL]] 2. [[OpenSSL Config File]] ### Reference 1. [OpenSSL docs](https://docs.openssl.org/master/man1/openssl-req/#examples)