Just took me some time to get the necessary steps together so lets summarize it.
Basically SSL is already up and running but now I just want to have a new CA certificate in place.
First of all we create a new 2048 bit RSA private key stored in the file domain.com.key :
# openssl genrsa -out domain.com.key 2048
Next we need to create a CSR (Certificate Signing Request) with the RSA private key. Just specify all the required information and do NOT enter extra attributes at the prompt. This will give us a file domain.com.csr.
# openssl req -new -key domain.com.key -out domain.com.csr
Now we take the content of the PEM file and deliver it to the CA. This can be done on the web for example at Thawte or whereever you get your certs from.
What we get back is the certificate and we store it in domain.com.crt.
Additinally we download the intermediate CA file from our certificate authority which is a pem file like httpd-ca.pem.
Now we have all three files we need:
The last part is adding it to the Apache config file:
SSLEngine on SSLCertificateFile /etc/pki/tls/certs/domain.com.crt SSLCertificateKeyFile /etc/pki/tls/certs/domain.com.key SSLCACertificateFile /etc/pki/tls/certs/httpd-ca.pem