The primary option is
-x509: it forces the
openssl req command to generate a root certificate instead of a certificate signing request:
openssl req \ -days 99999 \ -keyout .key \ -new \ -nodes \ -out .crt \ -sha256 \ -x509
When the -x509 option is being used this specifies the number of days to certify the certificate for.
The default is 30 days.
This gives the filename to write the newly created private key to.
Normally, this option generates a new certificate request.
But in my case, it does not generate a new certificate request because I use
-x509 alongside with
In my case the
-new option generates a new RSA private key because I do not use the
The private key is generated with the default length: 2048 bits.
If this option is specified then if a private key is created it will not be encrypted.
This specifies the output filename to write to or standard output by default.
This specifies the message digest to sign the request with (such as -md5, -sha1).
This overrides the digest algorithm specified in the configuration file.
Some public key algorithms may override this choice.
For instance, DSA signatures always use SHA1, GOST R 34.10 signatures always use GOST R 34.11-94 (-md_gost94).
This option outputs a self-signed certificate instead of a certificate request.
This is typically used to generate a test certificate or a self-signed root CA.
The extensions added to the certificate (if any) are specified in the configuration file.
Unless specified using the set_serial option, a large random number will be used for the serial number.