Generate a CA and self-signed certificates

Create CA:

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Create certificate:

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

Make sure you enter different things for organization, unit and common name! Don’t use the IP address as CN, as Konqueror cannot verify it.

Sign the certificate: server.csr

Create passphrase-less key file for Apache, Postfix and Courier:

openssl rsa -in server.key -out server.key.insecure
mv server.key
mv server.key.insecure server.key

Create a file combining certificate and key for Courier and Postfix:

cat server.key server.crt > courier_postfix.pem
(strip out everything before the BEGIN CERTIFICATE line)
openssl gendh >> courier_postfix.pem

Don’t forget to:

chmod -R 0600 *

and copy the CRT, KEY and PEM files to Apache’s, Courier’s and Postfix’ config dir.

More info on this can be found here and here.