If you need a new SSL certificate for a server you will need a 2048bit private key from 2011 onwards. This command creates both:
openssl req -new -nodes -newkey rsa:2048 -keyout example.key -out example.csr
Thats it send the CSR to you ISP and you should get you SSL cert back. You can also edit:
And change the default_bits line to 2048 then all new keys we be created with 2048bits.