To my understanding SSL has two parts:
The certificate is used to make sure the server and the client are who they claim to be. The keys exchanged are used for cryptographying the content of the messages server and client will exchange.
I'm not completely knowledgeble as how the process of creating and verifying a certificate works, but I think that, in order to be sure about the server certificate, there must be another server that works as a validator. That seems a bit strange to me, after all, if you can forge the response of one server you'd be able to forge the response of another, no?
Anyway, I wasn't willing to pay for that kind of service, so I self-signed the certificate. So I suppose it's not too useful -- it can't assure the server is who you think it is -- but I didn't care much for certificates to begin with. My main goal with SSL was just the encryption of data.
I know a little bit more how the cryptography works here. They use an algorithm called Diffie-Hellman which allows two servers to agree on a given key without people listening to the conversation figuring them out. It's not as complicated as it may seem, but I'll leave the explanations of the algorithm for another talk.
After agreeing in a key both ends use a symmetric-cryptography mechanism, I'm not sure as to which algorithm they use.
What programs that use SSL typically need are parameters for DH and the certificate. I don't think the DH parameters matter much. In my understanding they are public anyways. It's required that they are two ``good'' numbers. That is, two numbers that allow the algorithm to be secure.
In order to generate all that I used openssl program. Debian has a package with that name which will install the program needed. The steps I took were:
Generate the rsa key, the certificate needs this for whatever...
$ openssl genrsa 1024 > host.key
The key shouldn't be world-visible
$ chmod 400 host.key
Generating the certificate. It will expire in 365 days and it's
self-signed. I believe it's -nodes that makes it be self-signed.
$ openssl req -new -x509 -nodes -sha1 -days 365\
-key host.key > host.cert
Generate the parameters for DH key exchange. I think 1024 is the
entropy, I've been told that size is alright.
$ openssl dhparam -outform PEM -out dhkontesti.pem 1024
In my case, using courier-imap-ssl, I had to concatenate both key and
certificate in one non-world-readable file. The file that needs modification is
the following:
$ cat kontesti.key kontesti.cert > /etc/courier/imapd.pem