Note: if you’re looking to use Let’s Encrypt as your Certificate Authority, please see my separate post here.
I wrote the below as more of an aide-memoire when I was shifting my website around while experimenting with different hardware platforms for OpenBSD. I still have a paid-for SSL Certificate that I use for one of my sites. I use Let’s Encrypt for the others. The below provides a basic step-by-step. More detail is explained in the man page.
Step 1: Generate an RSA Key
# openssl genrsa -out /etc/ssl/private/my.key 4096
Step 2: Use the generated key to Generate a Certificate Signing Request (CSR)
# openssl req -new -key /etc/ssl/private/my.key -out /etc/ssl/private/my.csr
Step 3: Submit to your Certificate Authority (CA)
Follow their procedures. You’ll probably need to copy and paste in the contents of your .csr file generated from 2. above.