Self-signed

openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \
            -out $SITE.crt -keyout $SITE.key

From a real registrar

Tip

Now that Let’s Encrypt exists, the below information is a lot less useful…

Generate a unique site key:

openssl genrsa -out $SITE.key 4096

Generate a certificate signing request:

openssl req -new -config $SITE.cnf \
            -key $SITE.key -out $SITE.csr