openssl genpkey                       \
        -algorithm RSA                \
        -pkeyopt rsa_keygen_bits:2048 \
        -out www.usr-local.org.key    \
&& openssl req                           \
           -new                          \
           -key www.usr-local.org.key    \
           -outform PEM                  \
           -keyout www.usr-local.org.key \
           -subj "/C=DE/ST=Berlin/O=IN Berlin/OU=\/usr\/local/CN=www.usr-local.org" \
           -out www.usr-local.org.csr             

See issue #3311 of openssl on github about adding SAN¹⁾ entries. And there are a lot of suggestions in an stackexchange answer that was linked from the issue.

openssl x509 -inform DER -outform PEM -in /tmp/IN-Berlin-G3-root-certificate.htm  -out /tmp/IN-Berlin-G3-root-certificate.pem

( fgrep -m 1 CERTIFICATE ; cat ) < my.pem > my-crt.pem

This will create a key file my-key-no-pass.pem without passphrase from a RSA key file my-key.pem in PEM format:

openssl rsa -in my-key.pem -out my-key-no-pass.pem

In case your file is a combined key/certificate file my.pem, the command above will still only generate a key file. To add the certificate to the new file my-no-pass.pem, you need one more line of shell code:

openssl rsa -in my.pem -out my-no-pass.pem
(echo ; fgrep -m 1 CERTIFICATE ; cat ) < my.pem >> my-no-pass.pem

This works on a Debian Etch sytem

cp /tmp/IN-Berlin-G3-root-certificate.pem /etc/ssl/certs/
c_rehash

openssl x509 -text -noout -in cert.pem

openssl x509 -text -noout -inform der -in cert.crt

• How to Use OpenSSL to Convert Certificates Between PEM and DER
• Removing a passphrase froman SSL key
• Praktische Experimente mit OpenSSL
• man fetchmail
man openssl
man genpkey
man req

ssl cert