Essentially we will use something like letsencrypt which will generate our public/private keys, send a csr to the CA, get the cert, and install it so that apache is aware of it.
letsencrypt
Our browser likely won't trust certificates signed by letsencrypt unless we specifically tell the browser that it should be trusted.