In generating a certificate in my experience I am using keytool or openssl.
1. generate your private key
2. generate a csr on that private key
3. submit the .csr in your certificate authority (CA) ex. digicert, verisign, entrust etc..etc..
4. you can download or they can email you your signed certificates.
how to install in apache?
Some CA they will tell you to download their INTERMEDIATE CA. (this are the cert that verified your certificate if authentic or not)
5. you have to download the INTERMEDIATE CA in your CA company.
then install in apache..
in my case this is my configuration to RHEL 4 :-) MY REDHAT IS TOO OLD :-).
SSLCertificateFile /etc/httpd/conf/ssl.crt/signedcert.crt --------------> STEP #4
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourprivatekey.key -------->STEP #1
SSLCACertificateFile /etc/httpd/conf/ssl.crt/intermediate.crt ----------->STEP #5
THIS IS HOW YOU GENERATE SHA2...
AVOID SHA1 NOW...
THIS ARE THE COMMANDS TO CONVERT YOUR CERTIFICATE IN DIFFERENT FORMAT
HOPE THIS WILL HELP YOU..
SEE THIS IN YOUR LINK ON ENTRUST.NET IN YOUR POST SO I DISCOURAGE YOU TO USE SHA1...ALSO YOU DISABLE SSLV3 IN YOUR APACHE CONFIGURATION DUE TO POODLE ATTACH JUST USE TLSXX
The upgrade to SHA-2 conforms to a change among server and browser manufacturers to deprecate use of SHA-1:
Microsoft announced in late 2013 that they would no longer accept SHA-1 signed certificates which expire after January 1, 2017:
In September 2014 Google announced that the Chrome browser would gradually depreciate SHA-1 support, and would also reject SHA-1 signed certificates which expire after January 1, 2017. In addition, SHA-1 signed certificates which expire in 2016 would be flagged as secure but with errors.
Also in September 2014, Mozilla announced that they would also reject SHA-1 signed certificates that expire after January 1, 2017. Mozilla is the basis of a family of browsers, the most well-known being Mozilla Firefox.