First generate a new 2048 bit key:

# openssl genrsa -out fordodone.com.key 2048

I choose not to encrypt the key, because when reloading 240 apache servers, I don’t want to have to enter the passphrase each time. Now we use our key to generate a Certificat Signing Request.

# openssl req -new -key fordodone.com.key -out fordodone.com.csr

To inspect the CSR:

openssl req -in fordodone.com.csr -noout -text

Now you can sign your own cert, or upload/paste the CSR to a 3rd party provider to issue an official SSL Certificate.