Here is a step-by-step description:

1. Make sure OpenSSL is really installed and in your PATH. But some commands even work ok when you just run the ``openssl'' program from within the OpenSSL source tree as ``./apps/openssl''.
   
   
2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):
   
   $ openssl genrsa -des3 -out server.key 1024
   
   Please backup this server.key file and remember the pass-phrase you had to enter at a secure location. You can see the details of this RSA private key via the command:
   
   $ openssl rsa -noout -text -in server.key
   
   And you could create a decrypted PEM version (not recommended) of this RSA private key via:
   
   $ openssl rsa -in server.key -out server.key.unsecure
   
   
3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
   
   $ openssl req -new -key server.key -out server.csr
   
   Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via , enter " here. You can see the details of this CSR via the command
   
   $ openssl req -noout -text -in server.csr
   
   
4. You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) for signing. The result is then a real Certificate which can be used for Apache. Here you have two options: First you can let the CSR sign by a commercial CA like Verisign or Thawte. Then you usually have to post the CSR into a web form, pay for the signing and await the signed Certificate you then can store into a server.crt file. For more information about commercial CAs have a look at the following locations:
   
   
   1. Verisign
      
   2. Thawte Consulting
      
   3. CertiSign Certificadora Digital Ltda.
      
   4. IKS GmbH
      
   5. Uptime Commerce Ltd.
      
   6. BelSign NV/SA
      
   Second you can use your own CA and now have to sign the CSR yourself by this CA. Read the next answer in this FAQ on how to sign a CSR with your CA yourself. You can see the details of the received Certificate via the command:
   
   $ openssl x509 -noout -text -in server.crt
   
5. Now you have two files: server.key and server.crt. These now can be used as following inside your Apache's httpd.conf file:

          SSLCertificateFile    /path/to/this/server.crt
          SSLCertificateKeyFile /path/to/this/server.key
          

   The server.csr file is no longer needed.

The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. The long and manual answer is this:

1. Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):
   
   $ openssl genrsa -des3 -out ca.key 1024
   
   Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command
   
   $ openssl rsa -noout -text -in ca.key
   
   And you can create a decrypted PEM version (not recommended) of this private key via:
   
   $ openssl rsa -in ca.key -out ca.key.unsecure
   
   
2. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):
   
   $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
   
   You can see the details of this Certificate via the command:
   
   $ openssl x509 -noout -text -in ca.crt
   
   
3. Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.
4. Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):
   
   $ ./sign.sh server.csr
   
   This signs the server CSR and results in a server.crt file.
   

You simply have to read it with the old pass-phrase and write it again by specifying the new pass-phrase. You can accomplish this with the following commands:

$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key

Here you're asked two times for a PEM pass-phrase. At the first prompt enter the old pass-phrase and at the second prompt enter the new pass-phrase.

The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is secure enough you perform two steps:

1. Remove the encryption from the RSA private key (while preserving the original file):
   
   $ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
   
   
2. Make sure the server.key file is now only readable by root:
   
   $ chmod 400 server.key
   
   

Now server.key will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another server, and have the key readable only by root).

As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. But keep in mind that this is neither more nor less secure, of course.