Generate CSRs on the server that will terminate TLS whenever possible. After issuance, remove plaintext keys from ticket attachments and password managers shared channels.
Verification
Confirm SAN lists cover every hostname customers will type, including apex and www variants if both are live.
Warning
Never paste private keys into chat or email. Rotate immediately if exposure is suspected.