The certificate created will have the Private Key appended automatically with no passphrase.

openssl req -new ...

-newkey arg

    this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size. dsa:filename generates a DSA key using the parameters in the file filename. param:file generates a key using the parameter file file, the algorithm is determined by the parameters. algname:file use algorithm algname and parameter file file the two algorithms must match or an error occurs. algname just uses algorithm algname.

-[md5|sha1|md2|mdc2]

    this specifies the message digest to sign the request with. This overrides the digest algorithm specified in the configuration file. This option is ignored for DSA requests: they always use SHA1.

-days n

    when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.

-nodes

    if this option is specified then if a private key is created it will not be encrypted.

-x509

    this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option 0 will be used for the serial number.

-keyout filename

    this gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used

-out filename

    This specifies the output filename to write to or standard output by default.

$ openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout example.pem  -out example.pem

Generating a 1024 bit RSA private key

...........++++++

...............++++++

writing new private key to 'example.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CA]:CA

State or Province Name (full name) [Ontario]:

Locality Name (eg. city) [Markham]:

Organization Name (eg, company) [Perle Systems Ltd.]:

Organizational Unit Name (eg, section) [Sales]:

Common Name [nc4200]:

Email Address []:

With DSA certificates the param file must be created first:

$ openssl dsaparam -out dsa.param 1024

$ openssl req -new -newkey dsa:dsa.param -days 365 -nodes -x509 -keyout example.pem  -out example.pem