First, generate a private key file with 2048 or 4096 key size. This will prompt you for a passphrase for the private key.

openssl genrsa -aes256 -out privatekey.pem 4096

Optionally, you can decrypt this private key. This will prompt you for the passphrase to decode the key.

openssl rsa -in privatekey.pem -out privatekey-decrypted.pem

Then, create a Certificate Signing Request from the private key.

openssl req -new -sha256 -key privatekey.pem -out common-name-cert.csr

Using this, you can then use a signer tool such as Venafi to sign the key. A certificate authority, can sign the certificate (essentially, adding a chain to the certificate).