ECDSA certificates should be chosen for new deployments, instead of RSA certificates. See a blog post written by Nick Sullivan, ECDSA: The digital signature algorithm of a better internet, for more information.
Generate private key
openssl ecparam -name secp384r1 -genkey -noout -out server.key # Limit the access to the private key. chmod 600 server.key
For development and testing purposes, self-signed certificate may be sufficient. Run:
openssl req -new -x509 -key server.key -out server.crt -days 365
Generate certificate signing request (CSR)
Self-signed certificates are not trusted by the browsers. Generate a certificate signing request and submit it to a recognized certificate authority (CA) for signing. Run:
openssl req -new -sha256 -key server.key -out server.csr