If you have not already done so, your first step should be to create a local private/public key from which you can generate certificate requests. These can then be used for self-signed certificates, or when purchasing a certificate from a CA.
OpenSSL allows us to use the command line to generate keys. You have the option of using strong encryption and a passphrase to secure your private key, as shown below.
# cd /etc/ssl/apache/ # openssl genrsa -des3 -out domainname.com.key 2048
Typing the above on the command line will create a private key using TripleDES encryption, 1024 being the number of bits generated in the key. There are options for lower encryption levels, however, these are not recommended for those with servers that are accessible via the Internet.
The key will be created in the directory you’re in.
Finally, you should modify the permissions to restrict access to the new key.
# cd /etc/ssl/apache/ # chmod 400 domainname.com.key # chown root.root domainname.com.key
This ensures that only the root user has access to this file, and still requires the passphrase you may have used to create the key in order to open.