It's nice to make a SSL certificate for your server, so you can use it for serving secure web pages. As an added benefit, you can use it to provide a secure log in for your mail users! Most POP3/IMAP programs support an SSL layer, so if you want to run mail server, you can set it up to only accept secure connections. This is a real benefit, and I highly recommend doing so.
I generally make self-signed certificates, because I don't do anything secure that isn't for my own personal use, or something that I can easily explain to my users. The whole "pay money to get a signed certificate" thing is a scam in my opinion. If people only knew that the Certificate Signing Authority (CSA) companies don't care who you are as long as you pay 'em the cash (*cough* VeriSign), then they'd realize that the whole accept-certificate rigamarole that browsers give you is a joke. If you're doing business on my server, you're already trusting me, so there's no reason you shouldn't accept a certificate SIGNED BY ME.
*Ahem*. I'll get on with it.
If you want more detail on what we're doing here, look at http://www.jm-solutions.com/OpenSSL/Setup/setup02.php, or do some googling.
Make the private key and a Certificate Signing Request (CSR):
Remove the passphrase from the keyfile we just made, so Apache won't ask for it on boot:
Create a self-signed certificate good for 10 years:
Protect everything you just made:
When you're ready to use the certificate, you may have to adjust the permissions a bit depending on your needs. I generate a separate set of keys and certificates for my mailserver (named mailserver.csr, etc) and store them in /etc/ssl beside any webserver key I might have.
Blog Catalog