If you need a new SSL certificate for a server you will need a 2048bit private key from 2011 onwards. This command creates both:

openssl req -new -nodes -newkey rsa:2048 -keyout example.key -out example.csr

Thats it send the CSR to you ISP and you should get you SSL cert back. You can also edit:

/etc/ssl/openssl.cnf

And change the default_bits line to 2048 then all new keys we be created with 2048bits.