Generation of a self-signed SSL certificate involves a simple 3-step procedure:
STEP 1: Create the server private key
openssl genrsa -out cert.key 2048STEP 2: Create the certificate signing request (CSR)
openssl req -new -key cert.key -out cert.csrSTEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 3650 -in cert.csr -signkey cert.key -out cert.crtCongratulations! You now have a self-signed SSL certificate valid for 10 years.
Well, lets try to break this.
If you use this key often, better you keep them safe. Because if you sign a ---lets say--- pdf and upload it in a folder under your control, it becomes a non qualified e-sign, so it's your signature. The same if you sign a letter to your bank using it, etc. You can imagine a bunch of situations that validates that an open ssl sign is yours. What about Qualified E-Sign? In this case, the gov sign a certificate to a firm who sign the certificate to you. Is a chain of trust. Will it validates all over internet, well no. For this you need and does not exists a unique Root. Let's say the Pope have the Root Certificate and then all others derives from his. So anybody can reconstruct the chain of trust. But, that is not the case. In my country, the documents signed in this way validates only in some servers in the country. Outside it does not validate. The Root is an Office. Sorry but this is long as life. Obviously there are de Root de facto: Digicert, Google.