howto found on http://slacksite.com/apache/certificate.html
Create key
openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024
file1:file2:etc are .gz file which are used for entropy.
Create key without passphrase
openssl rsa -in server.key -out server.pem
Usefull to start Apache without a password. Keep this file secret.
Generate signing request
openssl req -new -key server.key -out server.csr
Questions are then asked interactively. The most important is "Common Name (eg, YOUR name)", it must match your server's name, ie www.foo.com.
Self-sign
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Do not hesitate to put a huge expiry delay (-days), experience shows "official" sining can be longer than expected, and there's no harm in having self-signed stuff lasting forever, as long as you accept it's self-signed.
What's usefull for Apache?
The key (.pem) and the certificate (.crt).