Generate a CSR (Certificate Signing Request) on your server when you want to get a certificate from a certified provider is often a mandatory step, very easy to execute.

Here are the different steps to execute:

1. Create a specific directory where you will put all your files

   mkdir sub.domain.com && cd sub.domain.com

2. Generate a private key of 2048 bits

    openssl genrsa -out sub.domain.com.key 2048

3. Now generate a CSR with openssl and with the private key you just generated

   openssl req -new -sha256 -key sub.domain.com.key -out sub.domain.com.csr

   Many information will be asked during the creation:

   Country Name (2 letter code) []: 
   State or Province Name (full name) []:
   Locality Name (eg, city) []:
   Organization Name (eg, company) []:
   Organizational Unit Name (eg, section) []:
   Common Name (eg, YOUR name) []:
   Email Address []:
   A challenge password []:
   An optional company name []:

4. You now have your CSR and your private key

It’s up to you to get your signed certificate from an official provider using those files.

It can happen that you’re getting that message when trying to connect to your linux server:

You are required to change your password immediately (password aged)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user mylinuxuser.
(current) UNIX password:

The message is quite explicit and you need to update your password right now.

If you don’t want to update your password too many times, you can update the frequency of the expiration to 90 days for example:

chage -M 90 mylinuxuser

Or you can completely disable the expiration by pushing the max value for expiration date to 99999 days:

chage -m 0 -M 99999 -I -1 -E -1 mylinuxuser