# Generate key 2048 bit rsa key with out passphrase:

DOMAIN=mail.stdout.nl.key
sudo touch $DOMAIN.key
sudo chmod 400 $DOMAIN.key
sudo openssl genrsa  -out $DOMAIN.key 2048

# Generate CSR with:
sudo openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

# After receiving the .crt file from the issuer, make sure you cat the .key
# and .crt file together into a .pem file, which lighttpd's ssl.pemfile points
# to.

# Optionally, you can use a config file to set attributes of the CSR (so you
# can leave out stuff like "Location" and "State"). However, when using
# StartSSL, al the details from the CSR will be ignored anyway, so don't
# bother. Anyway, the file to pass to -config should like this:

[ req ]
distinguished_name     = req_distinguished_name
prompt=no

[ req_distinguished_name ]
C                      = NL
CN                     = mail.stdout.nl