This assumes you have openssl - example here works on both Mac and Linux. .
Generate the private key
openssl genrsa -des3 -out privatekey.pem 2048
The -des3 prompts for a passphrase, the -out <<filename>> generates the key, the 2048 is the number of bits
openssl req -new -sha256 -key privatekey.pem -out csr.csr
The -sha256 avoids worrying about whether you'll get a SHA-1 generated with an old version of openssl. -key <<filename>> points to the private key, -out <filename> generates the csr file
openssl x509 -sha256 -req -days 9999 -in csr.csr -signkey privatekey.pem -out certificate.pem
X509 is the certificate type (Note no dash before this parameter), -sha256 avoids SHA-1, -days is how long the certificate is valid for, -in <<filename>> is the CSR file, -signkey <<filename>> is the private key and -out <<filename>> actually generates the certificate to a file.
openssl req -in csr.csr -text -noout
Make sure this shows the SHA256 (older versions of SSL may default to SHA1)
Check the certificate
Check the certificate
openssl x509 -in certificate.pem -text -noout