A SSL Certificate shared across the internet must be registered with a Certificate Authority in order to validate.

Before we can generate a Certificate we must create a Certificate Signing Request (CSR).

The CSR will be submitted to a Certificate Authority (CA) and in return a signed Certificate will be issued.

When we generate a CSR, we will also generate a private key.

It’s important to keep this private key safe – as this key will be required every time we need to reissue the Certificate or install the Certificate to a hosting environment.

openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr

After executing the openssl command, the user will be asked to provide some details about the Certificate they are requesting.

If you require multiple sub-domains it’s important to request *.example.com for the common name parameter. This will allow the one Certificate to support web.example.com and endpoint.example.com.

You will also be asked to supply an optional password, if you set a password – ensure to record it safely as you will be asked to provide the password every time we need to action the private key.

You should now have two files created:

1. private.key which needs to be stored away safely (for your eyes only).
2. request.csr which will be issued to our CA to generate a signed Certificate.

Submit a Certificate Signing Request to the Certificate Authority

Create a Certificate PFX file containing the private key using OpenSSL

When installing a Certificate on a hosting platform such as Internet Information Services (IIS) – a Personal Information Exchange (PFX) file type will be required, which is the Certificate alongside the embedded private key.

openssl pkcs12 -export -out star_example_com.pfx -inkey private.key -in star_example_com.crt

star_example_com.pfx is the PFX file generated.

private.key is the private key we generated when creating the CSR previously.

star_example_com.crt is the Certificate file issued by the Certificate Authority.

You will be prompted to enter the (optional) password previously assigned when generating the private key.

A PFX file called star_example_com.pfx should now be created.