X.509 Certificates can be generated and managed by various programs. Most people still use the command-line tool that comes with OpenSSL, but you can also look into managed web-based solutions, such as TinyCA. We will be using OpenSSL in our examples to create certificates.
Since all certificates have time-limited validity, it is very important to have the correct time set on the hosts that are going to use certificates, as well as on the host that creates the certificates. You might think that a few seconds do not matter, but if you generate a certificate and transfer it to a machine that lives fifteen minutes in the past, you will have to wait 15 minutes before that certificate becomes valid. People regularly fall into this trap and waste a lot of time trying to get a connection to work properly, just because the time is set incorrectly. Another common mistake is using newly generated certificates on machines that have a different timezone...