First generate a new 2048 bit key:
# openssl genrsa -out fordodone.com.key 2048
I choose not to encrypt the key, because when reloading 240 apache servers, I don’t want to have to enter the passphrase each time. Now we use our key to generate a Certificat Signing Request.
# openssl req -new -key fordodone.com.key -out fordodone.com.csr
To inspect the CSR:
openssl req -in fordodone.com.csr -noout -text
Now you can sign your own cert, or upload/paste the CSR to a 3rd party provider to issue an official SSL Certificate.