key – this is your key file and shouldn’t be shared with anyone publicly
https://www.sslshopper.com/article-most-common-openssl-commands.html


https://www.wpwhitesecurity.com/generate-self-signed-ssl-certificated-apache-https/

#Generate a new private key:
openssl genrsa -out /opt/ssl/server.key 2048

#Create a certificate: (Certificate Signing Authority - Generate Certificate Request File)
#IMPORTANT: Enter the server domain name when the above command asks for the “Common Name”.
openssl req -new -key /opt/ssl/server.key -out /opt/ssl/cert.csr

#Send cert.csr to the certificate authority. When the certificate authority completes their checks 
#(and probably received payment from you), they will hand over your new certificate to you.
#Until the certificate is received, create a temporary self-signed certificate:

openssl x509 -in /opt/ssl/cert.csr -out /opt/ssl/server.crt -req -signkey /opt/ssl/server.key -days 3650

#Back up your private key in a safe location after generating a password-protected version as follows
openssl rsa -des3 -in /opt/ssl/server.key -out privkey.pem

#Note that if you use this encrypted key in the Apache configuration file, 
#it will be necessary to enter the password manually every time Apache starts. 
#Regenerate the key without password protection from this file as follows:
openssl rsa -in privkey.pem -out /opt/ssl/server.key