Normally, we won't use a self-signed certificate for anything that's meant for the general public to interface with. Instead, we want to obtain a certificate from a commercial CA because we want users to know that they're connecting to a server for which the identity of its owners has been verified. To obtain a certificate from a trusted CA, you'll first need to create a key and a Certificate Signing Request (CSR). Let's do that now:

openssl req --out CSR.csr -new -newkey rsa:2048 -nodes -keyout server-privatekey.key

Here's the breakdown:

• openssl: I'm using OpenSSL with just my normal user privileges. For now, I'm doing everything in my own home directory, so there's no need for root or sudo privileges.
• req: This is the sub-command for managing CSRs.
• --out CSR.csr: The --out means that I'm creating something. In this case, I'm creating the CSR with the name CSR.csr. All CSRs will have the .csr filename extension.
• -new: This is a new request. (And yes, this is preceded by a single dash, unlike the out in the previous line that's preceded by two dashes.)
• -newkey rsa:2048: I'm creating an RSA key pair that's 2,048 bits in length. I'd actually like to use something a bit longer, but that will impact server performance when setting up the TLS handshake. (Again, this is preceded by only a single dash.)
• -nodes: This means that I'm not encrypting the private key that I'm about to create. If I were to encrypt the private key, I would have to enter the private key passphrase every time I restart the web server.
• -keyout server-privatekey.key: Finally, I'm creating the private key with the name server-privatekey.key. Since this key isn't for a self-signed certificate, I didn't put the -x509 at the end of the key's filename.

Let's now look at a snippet from the command output:

[donnie@localhost ~]$ openssl req --out CSR.csr -new -newkey rsa:2048 -nodes -keyout server-privatekey.key
Generating a RSA private key
. . .
. . .
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:GA
Locality Name (eg, city) [Default City]:Saint Marys
Organization Name (eg, company) [Default Company Ltd]:Tevault Enterprises
Organizational Unit Name (eg, section) []:Education
Common Name (eg, your name or your server's hostname) []:www.tevaultenterprises.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:TurkeyLips
An optional company name []:

So, I've entered my information about my company location, name, and website name. Note the bottom where it asks me for a challenge password. This password doesn't encrypt either the key or the certificate. Rather, it's just a shared secret between the certificate authority and me that's embedded into the certificate. I'll need to keep it in a safe place in case I ever need to reinstall the certificate. (And, for goodness' sake, when you do this for real, pick a better password than TurkeyLips.)

As before, I didn't encrypt the private key. But if you need to make a backup copy, just follow the procedure that you saw in the previous section.

To obtain a certificate from a commercial CA, go to their website and follow their directions. When you receive your certificate, install it in the proper place in your web server and configure the web server to find it.