Manually create private key and certificate request

Install OpenSSL if not already present
Generate the private and public keys.
The algorithm should be selected according to the capabilities of the server software. In most cases, however, ECC can be used nowadays.
- RSA-4096 with password:
  > openssl genrsa -aes256 -out <filename_key.pem> 4096
- RSA-4096 without password:
  > openssl genrsa -out <filename_key.pem> 4096
- ECC-384 with password
  > openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -out <filename_key.pem>
- ECC-384 without password:
  > openssl ecparam -name secp384r1 -genkey -out <filename_key.pem>
Generate a certificate request:
> openssl req -sha256 -new -key <file name_key.pem> -out <file name.csr> -subj “/CN=servername.b-tu.de”

If the certificate is to contain additional server names, these can be specified later in the web interface. Only the ‘Common Name [CN]’ needs to be set in the request. All other fields can be left blank; they will be set accordingly by the CA.

Remove password later

You can use the following command line to generate a key file without password protection (key-no-pw.pem) from a password-protected key file (key.pem):
> openssl rsa –in <filename_key.pem> –out <filename-no-pw.pem>

> openssel ec -in <file name_key.pem> –out <file name-no-pw.pem>

or in older versions

> openssl secp384r1 –in <file name_key.pem> –out <file name-no-pw.pem>

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo
_pk_ref	Used to store the attribution information, the referrer initially used to visit the website.	6 months	HTML	Matomo
_pk_ses	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo