...
Server keys must be generated for the [Certificate Signing Request (CSR)|http://en.wikipedia.org/wiki/Certificate_signing_request]. There is more than one option to one utility to create the keys but openssl seems to be the more straight forward and popular choice.
Openssl will create one key at a time where as utilities such as IBM's ikeyman can create both in one step. The private key is needed to complete the CSR. When it comes time for renewal, you can use your existing private key to generate the CSR and public key OR generate a new one. It is to be determined whether it is best practice
necessary to create a new private key every time the keys expire or to use your existing one. depending on Wiki Markup \[info\] There is no clear consensus on whether creating a new or using an old private key is considered best practice. It is notWiki Markup which web server you are using, (ie you'd need to create new private keys due to the way Microsoft IIS Web server handles storing private keys) but it seems the many sites like sslshopper.com recommends that a new private key be created as it avoids confusion and is simplest. \[info\]
Generate Server Private Key
...