How do I create a real SSL Certificate?

Here is a step-by-step description:

1. Make sure OpenSSL is installed and in your PATH.

    

2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):

   $ openssl genrsa -des3 -out server.key 1024

   Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:

   $ openssl rsa -noout -text -in server.key

   If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:

   $ openssl rsa -in server.key -out server.key.unsecure

    

3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):

   $ openssl req -new -key server.key -out server.csr

   Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR by using

   $ openssl req -noout -text -in server.csr

    

4. You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.
   Commercial CAs usually ask you to post the CSR into a web form, pay for the signing, and then send a signed Certificate, which you can store in a server.crt file. For more information about commercial CAs see the following locations:
   1. WavesCo SSL Certificates:
      http://wavesco.com/sslcertificates
   2. CA Cert:
      http://cacert.org

   Once your CSR has been signed, you can see the details of the Certificate as follows:

   $ openssl x509 -noout -text -in server.crt