Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
See also:
To communicate securely using SSL (also known as TLS or Transport Layer Security), web servers need a key pair of public and private keys. This key pair can be generated and signed by yourself, but to prevent the web browser from asking “stupid” questions about the validity of a certificate, you must pay a company, called a Certificate authority, such as Verisign, Geotrust, or Thawte, for the added simplicity. That company will then verify that you are who you are (in theory, at least) and then sign your public key with their certificate. Their certificate is already bundled with most browsers and thus trusted by default, which also makes your newly signed certificate trusted as well.