diff --git a/source/openssl/index.rst b/source/openssl/index.rst
index 426da90..78c218e 100644
--- a/source/openssl/index.rst
+++ b/source/openssl/index.rst
@@ -1,3 +1,151 @@
 #######
 OpenSSL
 #######
+
+Generate private key
+====================
+
+.. code:: shell
+
+  openssl \
+  genrsa \
+  -out "private_key.pem" \
+  4096 \
+
+Human readable:
+
+.. code:: shell
+
+  openssl \
+  rsa \
+  -in "private_key.pem" \
+  -noout \
+  -text \
+
+Generate a certificate request
+==============================
+
+* generate a private key
+
+* using . for empty fields, generate the request with:
+
+  * Country Name (2 letter code)
+  * State or Province Name (full name)
+  * Locality Name (eg, city)
+  * Organization Name (eg, company)
+  * Organizational Unit Name (eg, section)
+  * Common Name (e.g. server FQDN or YOUR name)
+  * Email Address
+  * A challenge password
+  * An optional company name
+
+.. code:: shell
+
+  echo -n "\
+  US
+  Region / County (code)
+  City / Place
+  Group / Management / Unit
+  Section
+  certificate_name
+  alias@domain.tld
+  .
+  .
+  " \
+  | \
+  openssl \
+  req \
+  -new \
+  -key "private_key.pem" \
+  -out "certificate_request.csr" \
+  -utf8 \
+
+Human readable:
+
+.. code:: shell
+
+  openssl \
+  req \
+  -in "certificate_request.csr" \
+  -noout \
+  -text \
+
+Create a Certification Authority
+================================
+
+init
+----
+
+.. code:: shell
+
+  rm --force --recursive "demoCA"
+  mkdir --parents "demoCA/newcerts"
+  echo -n "" > "demoCA/index.txt"
+  echo "00" > "demoCA/serial"
+
+request
+-------
+
+.. code:: shell
+
+  echo -n "\
+  US
+  Region / County (code)
+  City / Place
+  Decreasing / Hierarchy
+  Name
+  Name
+  alias@domain.tld
+  .
+  .
+  " \
+  | \
+  openssl \
+  req \
+  -new \
+  -key "name.pem" \
+  -out "name.csr" \
+  -utf8 \
+
+signature
+---------
+
+.. code:: shell
+
+  openssl \
+  ca \
+  -selfsign \
+  -in "name.csr" \
+  -keyfile "name.pem" \
+  -notext \
+  -out "name.crt" \
+  -startdate 20160801000000Z \
+  -enddate 20180801000000Z \
+  -batch \
+  -extensions "v3_ca" \
+
+----
+
+quick & dirty variant
+---------------------
+
+.. code:: shell
+
+  openssl \
+  ca \
+  -selfsign \
+  -keyfile "private_key.pem" \
+
+Sign request
+============
+
+.. code:: shell
+
+  openssl \
+  req \
+  -in "certificate_request.csr" \
+  -key "private_key.pem" \
+  -x509 \
+  -set_serial 0 \
+  -days 730 \
+  -out "certificate.crt" \