--- /dev/null
+If you're running your own server, your probably not shelling out $400
+to get an "official" Certificate Authority to sign your key. Here's a
+quick not to myself about how to create and sign your own key.
+
+Use [openssl][]'s [genpkey][] to generate an *unencrypted* public key.
+
+ $ openssl genpkey -algorithm RSA -out key.pem
+
+An unencrypted key is less secure, but it allows the web server to be
+restarted (e.g. after rebooting) without you being there to enter the
+decryption key. Make sure `key.pem` is only readable by `root`.
+
+Use [req][] to generate certificate signing request.
+
+ $ openssl req -new -key key.pem -out req.pem
+
+`-new` prompts you for new relevant field values. You can also
+specify the values on the command line or in an configuration file
+(override the default with `-config filename`).
+
+Use [x509][] to sign the certificate.
+
+ $ openssl x509 -req -days 360 -in req.pem -signkey key.pem -out cert.pem
+
+You should keep your certificate signing request around so you can
+re-sign your key later on (since your initial signature will
+eventually expire).
+
+You can also print certificates with [x509][].
+
+ $ openssl x509 -in cert.pem -noout -text
+
+[openssl]: http://www.openssl.org/docs/apps/openssl.html
+[genpkey]: http://www.openssl.org/docs/apps/genpkey.html
+[req]: http://www.openssl.org/docs/apps/req.html
+[x509]: http://www.openssl.org/docs/apps/x509.html
+
+[[!tag tags/linux]]
+[[!tag tags/tools]]