# Use 4096 when you can use ECDSA
openssl genrsa -des3 -out $DOMAIN.key 2048
cp $DOMAIN.key $DOMAIN.key-org
openssl rsa -in $DOMAIN.key-org -out $DOMAIN.key
# Vanilla OpenSSL versions since 1.0.2 set the hash by default to SHA-256
openssl req -new -sha256 -key $DOMAIN.key -out $DOMAIN.crt