Welp, SSL now works. Whoohoo! Have another beer.

Replace <SERVERNAME> in these examples with the fully-qualified domain name you gave to the virtual host
you want this key to service.

For example, if I wanted to do a cert for piro.kabuki.sfarc.net, I'd use 
-out /etc/apache2/sites/piro.kabuki.sfarc.net-server.key, etc.

Now, you need to make several random, gzip'ed text files. I recommend autogen.
$ for i in 1 2 3 4 5 6 7 8 9; do dd if=/dev/urandom count=2 bs=1k | od -a | sed -e 's/.......//' > rand$i; \
  gzip -1 rand$i; done
# openssl genrsa -des3 -rand rand1.gz:rand2.gz:rand3.gz:rand4.gz:rand5.gz:rand6.gz:rand7.gz:rand8.gz:rand9.gz \
  -out /etc/apache2/sites/<SERVERNAME>-ssl.key 1024

This will prompt you for a passphrase, which means that apache2 will also prompt
you for said passphrase every time it starts. Which is probably a bad thing. To
de-passphrase it:
# openssl rsa -in /etc/apache2/sites/<SERVERNAME>-ssl.key -out /etc/apache2/sites/<SERVERNAME>-ssl.pem
This will remove the 3DES, so be careful with server.pem. You'll also need to
change the SSLCertificateKeyFile line in /etc/apache2/sites/<SERVERNAME> from server.key
to server.pem.

Next, generate a Certificate Signing Request (necessary even if self-signing):
# openssl req -new -key /etc/apache2/sites/<SERVERNAME>-ssl.key -out /etc/apache2/sites/<SERVERNAME>-ssl.csr
Note, if you've decrypted the key (as above), use:
# openssl req -new -key /etc/apache2/sites/<SERVERNAME>-ssl.pem -out /etc/apache2/sites/<SERVERNAME>-ssl.csr

Fill in all the information as requested.

To self-sign your certificate:
# openssl x509 -req -in /etc/apache2/sites/<SERVERNAME>-ssl.csr -signkey /etc/apache2/sites/<SERVERNAME>-ssl.key \
  -out /etc/apache2/sites/<SERVERNAME>-ssl.crt 
Again, if you've decrypted your key, just change server.key to server.pem.

Now, clean up the temporary CSR and the random files:
# rm -f /etc/apache2/sites/<SERVERNAME>-ssl.csr rand*.gz

And, if you've decrypted your key:
# rm -f /etc/apache2/sites/<SERVERNAME>-ssl.key

You did enable the SSL module, didn't you? :)
# /usr/sbin/a2enmod ssl

:) d <daniel@sfarc.net>, 4:41pm, Sat 18th August
(updated 7:17pm, Sat 3rd November for new virtual hosts config stuff)
