HOWTO: create new certificate and PEM file and sign it with your CA cert
1) generate new private key  ( -des3 for pass)
openssl genrsa -out server.key 2048

2) create CSR file from our new key
openssl req -new -key server.key -config /path/to/server.cnf -out server.csr

server.cnf file used for CSR file creation

[req]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[req_dn]
C=US
ST=NYC
L=NYC
O=your org
OU=mail server at your org
CN=mail.your.domain
emailAddress=admin@your.doamin

[cert_type]
nsCertType = server


3) sign your new CSR with your CA certificate
sign.sh server.csr

4) open your new .crt file and remove all text down to line that says (keep this line!)
-----BEGIN CERTIFICATE-----

5) after that, combine public and private certificate into pem file
cat server.key server.crt > server.pem

6) and add Diffie-Hellman part of pem
openssl gendh >> server.pem

enjoy :]

faq
q: sign.sh???
a: fetch http://netvor.sk/~johnny/tmp/sign.sh


johnny ^_^ <johnny@netvor.sk>