(Originally copied from  by Pascal Scheffers.)
Create a key file
To create a certificate request with that key, you will need to answer some questions. The most important one is "Common Name" which MUST be the hostname of the server you're creating a certificate for. Only "Common Name" is required, for the SSL-RFC, but your Certificate Authority (Verisign, Thawte, etc.) will require some of the other fields. Just fill them all out, to be safe. The last two questions may be required for the registration procedure of some certificate authorities.
You can now send the request.pem file to some commercial Certificate Authority and wait for the certificate, or create your own "self-signed" certificate for testing purposes.
To create the self-signed certificate, do the following:
Update: This may be wrong. The right way may be:
Now you have a self-signed certificate.
When you get your actual certificate from the CA, you may have to convert it from binary/DER to PEM format:
Obtaining a server certificate with Internet Explorer
Most Certificate Authorities have an website that lets you request a certificate with Internet Explorer. It is very simple to convert such a certificate to a cert.pem and key.pem file. After you have obtained the
certificate (do make sure that you keep the key exportable when you request the certificate!), you must first export it to a file:
From internet explorer, open the Tools menu, and choose Internet options. On the 'Content' tab click the 'Certificates' button. Select your server certificate and click 'export'.
Select that you want to export the private key, on the .PFX options, DO NOT include all certificate in the path and DO NOT enable strong protection. When asked to, provide a nice and long password if you need to transfer the resulting certificate.pfx file over email.
Now on your server machine:
The resulting certificate.pem will contain both the certificate AND the key. You can either remove the key from this file and put it in a key.pem file or do as I do: change the keyfile parameter in your config.tcl from ". /key.pem" to ". /certificate.pem", so that the server looks in certificate.pem for both the key AND certificate.
This document was written by Pascal Scheffers (firstname.lastname@example.org) for the OpenACS project. I relied on the documentation efforts of the people from the OpenSSL project and the nsopenssl readme.txt. Thank you.
The subset of this document on the wiki was edited by Dossy Shiobara.