1. distribution of self-signed certificates
2. distribution of free certificates (startssl, letsencrypt)
3. become a reseller of grains. e.g. https://www.comodo.com/partners/ssl-reseller.php

For people unfamiliar with X.509, issuing certificates is usually associated with something official, or with something like that with forms, fields, buttons ...
But in fact, everything is much simpler.
The certification authority (CA, Certificate Authority) is just a binding for OpenSSL, since everything is done through it (or through its analogue in Windows). You need a CA certificate, its key and a small config, which specifies what fields will be in the certificate and what they will contain. The certificate itself is just a binary file that contains some information (which one is specified in the certificate template that is generated by the CA). All the value of the certificate that money is paying for is what the CA guaranteesthe correctness of this information. That is why it is not recommended for selling sites to take certificates from different letsencrypt - yes, I can write "Passport" on a piece of paper, but who will believe me?
To issue a certificate to your own CA, first of all, everyone who will use these certificates needs to place the certificate of the CA itself and make it trusted. This can not be done everywhere - for example, in Android, adding your root CA will lead to the appearance of a yellow triangle with the inscription "AAAA, they will share it for you!", But in Windows Phone it is simply impossible. If this is not done, then constantly when accessing a device that uses this certificate, there will be constant cries about an untrusted certificate.
The process of obtaining the actual certificate consists of:
- generating a certificate request (CSR, Certificate Signing Request) and a key
- transferring the CSR to the CA
- generating the certificate itself
- returning the certificate to where the request was generated.
CSR is a binary file, it is formed in many different ways - through OpenSSL, through Windows programs, many devices themselves form CSR. CSR is not a certificate, but only the source data for it. Along with the certificate, a certificate key is generated, which should be kept secret. The loss of a certificate key means that an attacker can freely use this certificate and no one will be able to tell whether the owner of the certificate has used it or not.
To transmit a CSR to a CA, it is usually encoded in base64 and sent as such. If the text of the certificate begins with --- BEGIN CERTIFICATE --- - this is exactly it.
The CA, having received the CSR, generates a certificate and returns it back to the person who issued the CSR. The certificate is also encoded in base64.
The validity period of the certificate is limited. For ordinary certificates, it is a year, but nothing prevents you from making the term both longer and shorter. The validity of the CA certificate itself is usually long - 5 - 10 years.
You cannot change the contents of the certificate - therefore, when generating a CSR, you need to be very careful, unless of course you have a corporate CA