Below is a practical, secure checklist and step‑by‑step reference for issuing digital certificates online — covering public website/TLS certs, private/internal PKI (client/server certs), code signing, and automation. Pick the section that matches your use case.

Quick overview (what a secure issuance flow looks like)

• Decide the PKI model: public CA (trusted by browsers/OS) vs private/internal CA (for internal services/devices).
• Generate the key pair securely (prefer device/HSM-backed key generation; never send private keys in the clear).
• Create a CSR (certificate signing request) that includes the correct subject and SANs.
• Submit CSR to CA and complete validation (DV/OV/EV or automated device enrollment).
• Receive certificate and install it together with the CA chain; enable OCSP/CRL for revocation.
• Automate renewal and rotation; monitor expiry and key compromise.

1. Issuing TLS/HTTPS certificates for websites (common, public)

• For public-facing websites use a trusted CA. For most cases use an ACME-capable CA (e.g., Let's Encrypt) and an ACME client (Certbot, acme.sh, or your platform’s managed cert service).
• Secure steps:
  1. Generate key locally (prefer hardware-backed) using strong algorithms:
     • RSA 3072 or 4096, or ECDSA P-256 (secp256r1) / P-384 for smaller keys.
     • Use SHA-256+ for signing; avoid SHA-1.
  2. Create CSR with correct CN and SANs (subjectAltName).
  3. Use ACME to prove domain control (HTTP-01, DNS-01, or TLS-ALPN-01).
  4. Install certificate and the intermediate chain on the server.
  5. Configure server for modern TLS (TLS 1.2+ or 1.3, ECDHE, disable old ciphers).
  6. Enable OCSP stapling, HSTS, and automatic renewal (ACME automates renewal; check expiry alerts).
• Typical ACME/Certbot example (Linux web server):
  • Certbot for nginx: certbot --nginx -d example.com -d www.example.com
  • Certbot in webroot mode: certbot certonly --webroot -w /var/www/html -d example.com
• If you cannot use ACME, purchase a cert from a commercial CA, upload your CSR via their web/API, complete their validation, and install the provided cert + chain.

2. Issuing private/internal certificates (internal services, mutual TLS, device enrollment)

• Options: run your own CA (OpenSSL-based CA, HashiCorp Vault PKI, Smallstep/step-ca, Microsoft AD CS), or use an enterprise CA.
• Prefer issuing private keys on the end device or inside an HSM/TPM and submit just the CSR.
• For device / large fleet enrollment, use automated enrollment protocols: SCEP (older), EST (modern), CMP, or an MDM/PKI integration.
• Example flow to sign an internal CSR with your CA (openssl):
  • Create CA key and cert (one-time): openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:4096 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=US/O=Org/CN=MyInternalCA"
  • Sign a CSR: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 825 -sha256 -extfile v3.ext
  • Ensure v3.ext contains appropriate keyUsage and subjectAltName.
• For client certificates (mutual TLS), set Extended Key Usage to clientAuth and generate PKCS#12 for distribution only if devices must import private key.

3. Code signing and document signing

• Obtain a code-signing certificate from a reputable CA or use an internal signing authority for internal apps.
• Use hardware security modules (HSMs) or cloud KMS (AWS CloudHSM, Azure Key Vault) to protect code-signing keys.
• Enforce least privilege and audit signing operations. Rotate keys regularly.

4. Protecting private keys

• Best practice: generate keys on the endpoint or in an HSM/KMS and never export unencrypted private keys.
• If you must export, use encrypted PKCS#12 with a strong passphrase and short distribution windows.
• Use secure key storage: hardware tokens, YubiKeys, TPM, HSM, or cloud KMS.

5. Revocation & validation

• Publish CRL or support OCSP; for TLS prefer OCSP stapling so clients don’t need direct OCSP lookups.
• Have a documented incident response for compromised keys (revoke immediately, reissue, rotate).

6. Automation & lifecycle management

• Automate issuance and renewal to avoid outages:
  • Use ACME for public TLS (Let’s Encrypt or other ACME CAs).
  • Use cert-manager for Kubernetes clusters.
  • For enterprise/private CAs use Vault PKI, Smallstep, or automation via CA REST APIs.
• Monitor certificates (expiry, chain changes) with alerting integrated into your ops monitoring.

7. Technical examples (OpenSSL quick commands)

• Generate a private key (RSA 4096): openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:4096
• Generate EC key (P-256): openssl ecparam -genkey -name prime256v1 -noout -out key.pem
• Create CSR (interactive): openssl req -new -key key.pem -out csr.pem -subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
• Create a self-signed cert (testing only): openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout key.pem -out cert.pem -subj "/CN=example.com"
• Export key+cert to PKCS#12: openssl pkcs12 -export -out bundle.p12 -inkey key.pem -in cert.pem -certfile ca-chain.pem

8. Security checklist (short)

• Generate keys in a secure, non-exportable context if possible (HSM/KMS).
• Use modern algorithms (ECDSA P-256/P-384 or RSA >= 3072) and SHA-256+.
• Limit certificate lifetime and automate renewal.
• Use SANs (subjectAltName); avoid relying on CN alone.
• Restrict key usage and EKU fields appropriately.
• Enable OCSP stapling and publish CRL/OCSP.
• Monitor expiry and use alerts; test renewals periodically.
• Audit issuance and keep logs for compliance.

Common tools & services (pick depending on needs)

• Public TLS: Let’s Encrypt (ACME) + Certbot or acme.sh
• Managed/Cloud: AWS Certificate Manager, Azure Key Vault & App Service Certificates, Google Managed SSL
• Internal CA / automation: HashiCorp Vault PKI, Smallstep (step-ca), Microsoft AD CS
• Kubernetes: cert-manager
• HSM/KMS: AWS CloudHSM / KMS, Azure Key Vault, Google Cloud KMS, on-prem HSMs
• Enrollment protocols: SCEP (legacy), EST (preferred for REST/TLS enrollment), ACME (for domain-validated TLS)

If you tell me which specific certificate type you need (website TLS, mutual TLS client certs, code signing, document signatures, or internal device enrollment) and your platform (Linux server, Kubernetes, Windows AD, cloud provider), I can give a tailored, step‑by‑step command sequence and a secure config sample for installation and automation.