Most web instructions include ancient instructions for self-signed host key generation.
Here’s a Suite-B 192 (ECDHE-ECDSA-SHA384, 384-bit curve) key/cert.
openssl ecparam -out service.key -name secp384r1 -genkey
openssl req -new -key service.key -out service.csr -sha384
openssl x509 -req -signkey service.key -out service.crt -sha384
cp -p service.crt service.pem
the last cp is for a CA_pem kind of configuration variable, often they like actual pem extension for whatever reason.
It is sad that !SSLv3 still breaks a lot of mail clients, and !SHA/!SHA1. But here’s what I like for cipher list enhancement:
SUITEB192:TLSv1.2:HIGH:-3DES:!SSLv2:!MD5:!aNULL
With this SHA-1 and, to a lesser extent, AES-128 are the only non-optimal algorithms I see being used by inferior clients.
Update July 2015: Of course, using SUITEB192 makes everything that comes after it ignored, so that list was entirely aspirational.
I had to go through and fix this for real. First of, use this for testing:
openssl ciphers -v 'CIPHERS_SPEC'
Then there’s this weird ‘X+Y:Y+Z’ format you can use for selecting ciphers. It is probably documented somewhere.
Suite B 192 ONLY:
openssl ciphers -v 'EECDH+ECDSA+AES256+AESGCM:EECDH+ECDSA+AES256+SHA384';
Suite B 128 ONLY:
openssl ciphers -v 'EECDH+ECDSA+AES128+AESGCM:EECDH+ECDSA+AES+SHA256';