Populate "extra" information as applicable. Be sure to remember the "challenge password" you configure as it will be needed to combine the private key and signed/returned CSR to generate final .pem for the WLC. Be sure "Common Name" is what you populate with FQDN: An example would be something like… controller.yourdomain.com
This will generate the mykey.pem (key file) and myreq.pem (csr) at the location C:\OpenSSL\bin\
Submit CSR (myreq.pem) to third-party CA, who will digitally sign and return via e-mail. When submitting CSR to CA, you may be asked the "server technology" that is being used. If that is the case, select "Apache". The same goes for SHA-1 or SHA-2 as 1 is the supported Hash Algorithm. If asked to specify, select SHA-1.
When the CSR has been signed and returned. Save the file to the same C:\OpenSSL\bin directory
See instructions on the page for combining a chained certificate in to one (1) .pem cert file.
Perform the following commands in OpenSSL to combine the returned CSR and key generated during the CSR request.