Certificat pour apache avec debian

#Debian: 
mkdir /etc/apache2/ssl
openssl req -new -x509 -days 3650 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
ln -sf /etc/apache2/ssl/apache.pem \
 /etc/apache2/ssl/`/usr/bin/openssl x509 \
 -noout -hash < /etc/apache2/ssl/apache.pem`.0

#ubuntu 6.06
apache2-ssl-certificate

dans un virtual hosts (/etc/apache2/sites-enabled/...):
NameVirtualHost *:443
<VirtualHost *:443>
	SSLEngine On
	SSLCertificateFile    /etc/apache2/ssl/apache.pem
	SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
	BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
	                          downgrade-1.0 force-response-1.0
	BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
#	...
</VirtualHost>

# activer ssl
a2enmod ssl

Créer une demande de certificat (.csr)

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Générer un certificat ssl pour apache

# mod-ssl-makecert (option 3, no encryption). Vu sur gforge debian install guide

Steps

first edit _default configuration with yours and commonName_default/emailAddress_default:
# vim /etc/pki/tls/openssl.cnf
note that strangely, emailAddress_default doesn't work
and that if you want to retry, erase ../../private/cakey.pem

then create the certificate
# cd /etc/pki/tls/misc
# ./CA -newca
# ./CA -newreq
# ./CA -sign

then copy all the information in one directory for later use
# cd .. 
# mkdir myCA
# cd myCA
# cp /etc/pki/CA/cacert.pem .
# cp /etc/pki/tls/misc/newcert.pem servercert.pem
# cp /etc/pki/tls/misc/newreq.pem serverkey.pem
# ls

then, copy over apache (backup before ;p)
# mv /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server.crt.bck
# mv /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.key/server.key.bck
# cp servercert.pem /etc/httpd/conf/ssl.crt/server.crt 
# cp serverkey.pem /etc/httpd/conf/ssl.key/server.key

last thing, enable ssl (with DocumentRoot, ServerName, ServerAdmin)
# vim /etc/httpd/conf.d/ssl.conf