First you’ll need a key:

openssl genrsa -des3 -out server.key 4096

Using the -des3 option will require you enter a password when Apache starts up.  If you wish to avoid that gotcha, then simply leave out the -des3 option:

openssl genrsa -out server.key 4096

Then, generate a certificate signing request from the key:

openssl req -new -key server.key -out server.csr

If you wish to have the certificate expire in a certain number of days, then use the -days option:

openssl req -days 1095 -new -key server.key -out server.csr

Now, go to a certificate authority and generate a certificate using the certificate signing request.   http://www.cacert.org is a free certificate authority you can use.  Read more about them here:  CAcert at Wikipedia Cut and paste the entire generated certificate into a new file called server.crt.  Install the crt and key files into a place where apache can find them.

Then as root:

1
2
3

chown apache:apache server.key
chmod 600 server.key
chmod 644 server.crt

Now you’ll need to install this into Apache’s configuration file, httpd.conf.  Note that if this certificate is used, you’ll need to enter in a passphrase when Apache starts up.  We can disable that requirement.  More on that later.  Put this entry into your httpd.conf file if you wish for all traffic to your site to be secure:

1
2
3
4
5
6
7
8
9
10
11
12
13

NameVirtualHost *:80
<VirtualHost *:80>
ServerName server.mysite.com
RedirectPermanent / https://server.mysite.com:443
</VirtualHost>

<VirtualHost _default_:443>
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
ServerName server.mysite.com
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
</VirtualHost>

Now to remove the passphrase from the certificate so Apache will boot without interaction:

openssl rsa -in server.key -out server.key.nopass

Then use the nopass key instead of the original server.key.