It is possible to create a Root CA, install the Root CA certificate on the browser, generate a private public key, and use the Root CA to create a certificate for the server. Or just a self signed certificate and install an exception for the browser....
This is the secret for the server known only to the server.
openssl genrsa -out private4096.key 4096
genrsqGenerating an RSA key-out private.keyThe output file for the key4096The number of bits
Skip this section
This is the document that is used to generate the server's public certificate
openssl req -key private4096.key -new -out certificate.csr
reqA certificate request (or signing)-key private4096.keyThe server's secret-nwCreating a CSRcertificate.csrThe name of the resulting file
There is no need to enter anything but defaults.
If this CSR is to be sent to a Root CA for signing, and then is to be accepted by browsers it is important to add x509 extensions, specifically an Alternative Name section with a DNS entry for the URL of the server to be protected.
The "self-signed" certificate is signed with the server's private key, as opposed to one signed with a Root CA's private key.
We do not need the CSR to do this:
openssl req -new -x509 -key private4096.key -days 3650 -out public.crt
reqCreating, or inspecting a certificate or a certificate signing request-newGenerating a new certificate or request-x509Output a self-signed certificate (not a request)-days 3650How long the certificate is valid for. (Some domains, particularly Apple, have limits on this)-out public.crtOutput file
The certificate is a PEM (Privacy Enhanced Mail) document and is created from the public and private key above:
cat private4096.key > certificate.pem
cat public.crt >> certificate.pem
The file certificate.pem can be used by the web server to authenticate an HTTPS session. Because it is self signed the public key needs to be installed on the browser, which will happen on the first visit if the user authorises it.