I have to do this every three years, and its always a pain to remember
sudo su
cd /etc/ssl/mycerts/
openssl reg -new -newkey rsa:2048 -nodes -keyout serverdomain.key -out serverdomain.csr
Answer the questions. Most places don't care about the Organizational Unit. Leave the challenge password blank (press Enter).
cat serverdomain.csr
Copy the output (including the BEGIN and END tags) to the form of the supplier.