This is the second example from the documentation of OpenSSL req:
Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 2048 openssl req -new -key key.pem -out req.pem
Note that, if you do this directly with req (see 3rd example), if you don’t use the -nodes option, your private key will also be encrypted:
openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
(Despite what the documentation says, it’s not exactly the same as the second example, since it doesn’t use -des3, but you would have done so anyway.)