Once the command has executed successfully, we can see domain.key, domain.csr, and domain.crt generated, where domain.key is a 2,048-bit RSA private key that is used to sign the SSL certificate, and domain.crt and domain.csr are certificate-signing requests that consist of the public key of a key pair with some additional information, which is inserted into the certificate when it is signed.

Let's understand the command we executed to generate a certificate-signing request:

• The -newkey rsa:2048 option creates a new certificate request and a new private key that should be 2,048-bit, generated using the RSA algorithm.
• The -nodes option specifies that the private key created will not be encrypted with a passphrase.
• The -keyout domain.key option specifies the filename to write the newly created private key to.
• The -out domain.csr option specifies the output filename to write to, or the standard output by default.
• The -subj option replaces a subject field of the input request with specified data and outputs a modified request. If we do not specify this option, then we have to answer the CSR information prompt by OpenSSL to complete the process.

Next, we will understand the command we executed to generate the certificate and sign it with the private key, as follows:

openssl req -key domain.key -new -x509 -days 365 -out domain.crt -subj "/C=IN/ST=Mumbai/L=Andheri East/O=Packt/CN=packtpub.com"

The -key option specifies the file to read the private key from. The -x509 option outputs a self-signed certificate instead of a certificate request. The -days 365 option specifies the number of days to certify the certificate for. The default is 30 days.