Private Key and Certificate Signing Request CSR

To generate the private key and the Certificate Signing Request ( CSR )

$ openssl req \
> -new -newkey rsa:2048 -nodes \
> -keyout private_key.pem -out key_csr.pem
Generating a 2048 bit RSA private key
writing new private key to 'private_key.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:EU
State or Province Name (full name) [Some-State]:state_g0
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IPduh
Organizational Unit Name (eg, section) []:Systems
Common Name (eg, YOUR name) []:g0
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 

The CSR we need to send for signing to our Certificate Authority is at key_csr.pem

Apache 2 Virtual Host SSL setup

Let's name the public key certificate that our Certificate Authority signed: signed_public.pem

Put the keys in the appropriate /etc/ssl/ directories
#cp signed_public.pem /etc/ssl/certs
#cp private_key.pem /etc/ssl/private

Enable mod_ssl
# cd /etc/apache2/mods-available/
# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Adjust /etc/apache2/ports.conf
# cat /etc/apache2/ports.conf


<IfModule mod_ssl.c>

<IfModule mod_gnutls.c>

Configure the Virtual Hosts:

#head -7

 DocumentRoot /var/www/
 SSLEngine on
 SSLOptions +StrictRequire
 SSLCertificateFile /etc/ssl/certs/signed_public.pem
 SSLCertificateKeyFile /etc/ssl/private/private_key.pem        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

#head -9

 DocumentRoot /var/www/
 SSLEngine on
 SSLOptions +StrictRequire
        SSLProtocol all -SSLv2
 SSLCertificateFile /etc/ssl/certs/signed_public.pem
 SSLCertificateKeyFile /etc/ssl/private/private_key.pem  
      #  SSLCertificateChainFile 
      #  SSLCACertificateFile 
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Alternative MSIE SSL connection handling workaround
( taken from /usr/share/doc/apache2.2-common/README.Debian.gz )
SSL workaround for MSIE

The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.

Apache 2 mod_ssl

Private Key and Certificate Signing Request CSR