You'll need to generate a private key and a certificate signing request. This requires the openssl commandline cli ent. First, generate the private key with:

 
# unencrypted, 4096-bit key 
openssl genrsa -out privkey.pem 4096 
 
# alternatively, encrypted 
openssl genrsa -des3 -out privkey.pem 4096

The key length recommended by the OpenSSL key HOWTO is at least 2048 bits; I'm using 4096 bits. If you choose to encrypt the key (which is probably wise), you'll have to enter the passphrase for it every time you start a server that uses it. This might not be possible; so you might have to opt for an unencrypted key and hope your disk is safe.

Now that you've got a key, you'll need to generate the certificate signing request:

# generate certificate signing request 
openssl req -new -key privkey.pem -out cert.csr 
# will ask some questions 
# CommonName is domain name! 
 
# display contents 
cat cert.csr 

The openssl client will ask you some questions about the certificate. Most of this information is ignored by CAcert.org (see their document ation) but the CommonName is extremely important: this is where you entered the fully-qualified domain name of the server you want a certificate for (e.g. www.mydomain.dom).

To get a signed certificate from CAcert.org, simply choose Server certificates → New and paste in the contents of the cert.csr file. You can then copy the signed server certificate from their website.

Depending on your application, you probably want to store that signed certificate along with the private key: simply edit the priv key.pem file in your favourite text editor and paste the signed certificate (including the delimiter lines) after the existing private key. You can then generally point your application at this file and it will be happy.

A less-well-known but nevertheless useful feature of SSL is that it can be used to authenticate clients to a server, as well as simply providing an encrypted communication channel. Unfortunately, CAcert.org's client certificates can only contain your email address, which can lead to limitations.

To generate a client certificate, you have to add your email address to the CAcert.org site (and of course follow the activation link in the test email). Once this is done, you can simply use the web interface to generate a certificate directly in your browser.

I found that Konqueror (3.5.2) failed to work here. It brought up the client certificate generation dialog etc. but for some reason the process failed. However, Firefox allowed me to generate the client certificate and then export it (they call it „backup“) as a PKCS#12 file . I could then import it into Konqueror and it works fine. You can then tell Konqueror to present the client certificate to a specific webserver.

The PKCS#12 certificate can also be used for e.g. subversion clients etc. although this is where the email address becomes a limiting factor.