The openssl command line tool is the best way to manage X.509 certificates. It has a lot of options, but in general you only need a handful. The most important are:

Generate an RSA Key Pair

Before you can obtain an X.509 certificate, you will need to generate an RSA key pair. This will allow you to securely communicate with a certificate authority (CA) to establish your identity. Your web server will use this RSA key pair to sign responses identifying it as the bearer of the certificate.

To generate a 2048 bit RSA key pair and write it to a file, issue this command:

openssl genrsa -aes256 -out cryptofundamentals.key 2048

You will be prompted to enter a password for the key file, so that it can be encrypted (using AES-256 in this example).

Create a Certificate Signing Request

You need to send a request to your certificate authority for them to sign a certificate. The certificate vouches for your identity. It says that you control the site identified by the common name (CN), and that you are the bearer of the matching private key.

openssl req -new -key cryptofundamentals.key -days 365 -out cryptofundamentals.csr

The certificate signing request is itself signed using your RSA key, so you will have to provide the password. You can see the contents of the CSR file with this command.

openssl req -text -in cryptofundamentals.csr

You don't need the key to read the file, so you are not prompted for your passphrase. Send the CSR file to your certificate authority.

Receive an X.509 Certificate

When your certificate authority validates your identity, and your control over the domain, then they will send you a certificate. This will be in PEM format, and should be saved with a .cer extension. View the contents of this certificate to ensure that it is what you asked for.

openssl x509 -in cryptofundamentals.cer -text

The subject may not be exactly as you specified. The CA might not be able to vouch for the identity of your organization or your location. But they will vouch for your control over the domain. Therefore, the common name (CN) will be as you requested.

Package Key and Certificate into a PKCS #12 Keystore

Both IIS and Tomcat expect the certificate and the associated private key to be packaged into a single file. The common format for this file is PKCS #12, a Personal Information Exchange file. It typically has a .pfx or .p12 extension. To combine the key and certificate, issue the following command:

openssl pkcs12 -export -in cryptofundamentals.cer -inkey cryptofundamentals.key -out cryptofundamentals.pfx

You will be prompted to enter your passphrase for the encrypted key file. You will also be prompted to enter a new passphrase for the PCKS #12 file, since this file will contain your key. It doesn't necessarily need to be the same passphrase.

Strip the Passphrase from a Key

The above steps produce a PKCS #12 keystore that you can use in both IIS and Tomcat. But Apache does not use the PKCS #12 keystore format. It expects the key to be separate from the certificate. Furthermore, if the key is encrypted, Apache will prompt for your passphrase every time it starts. That means that you won't be able to reboot your web server without being logged in.

To fix this problem, strip the passphrase from the key file.

openssl rsa -in cryptofundamentals.key -out naked.key

This will prompt for your passphrase to decrypt the key, but it will not prompt for a new passphrase. That's because you didn't instruct openssl to encrypt the RSA key.

Do this with great caution! If an attacker can gain access to the key, your certificate will be compromised. Do this only on the server itself, and ensure that the naked key is accessible only by the Apache process.