As I mentioned in another post, I generate SSL certificates quite a lot (but not often enough to remember the specifics of each command), so here’s a quick reference.

You first need to generate the SSL certificate key with:

openssl genrsa -out domain.key 2048

Note that it’s a good idea to use a key length of 2048 as a minimum. I’m not sure if 4096 adds any significant benefit, though.

Next, you need to generate the CSR (Certificate Signing Request) - this is where you’re prompted to enter all your information.

openssl req -new -key domain.key -out domain.csr

When prompted, it’s important you set the Common Name to the hostname that you want to protect. It’s also important that you include the www. prefix if you specifically want www.example.com to use the SSL certificate. If you want to protect multiple subdomains (i.e. www.example.com, mail.example.com, anything.example.com) then you’ll need a wildcard SSL certificate, as a standard certificate only protects the given common name.

It’s not worth setting a password if prompted unless you’re prepared to configure your software (i.e. web server) appropriately, otherwise you’ll be prompted for the password every time the software starts up.