Does anyone know how I can create a no-cost server certificate for IIS
(version 5.1) myself, using OpenSSL or something similar? I really
don't need a $1000 certificate from VeriSign or one of the other
crooks. I am not running a public server, I just want to use SSL to
keep my ISP from listening into my traffic and I know all my clients
(in the technical as well as the business sense), so I can just pass
the certificate around by floppy disk and people manually install it
in their Internet Explorers.

The stupid thing is I already managed to do it once by futzing around
with OpenSSL, I just can't reproduce it anymore. I remember that IIS
won't accept a self-signed certificate, so I'd have to create my own
root certificate first and then a second certificate for the server
and then sign the latter with the first.

Please give me complete instructions such as "type this and that" and
"then copy that file there" etc. Use a fictional servername like
"demo.com". I have an understanding of the concepts of RSA,
certificates and signatures but not the details such as file formats
and the tools involved, and I don't care.

I ran out of time to write this up, so someone gets a freebie. Here's
some good instructions for starters:

http://groups.google.com/groups?hl=en&lr=&safe=off&selm=9fm2on%242fh%241%40FreeBSD.csie.NCTU.edu.tw

I followed them step by step, and they are quite helpful so far.
Putting them in terms levsen wants ("type this and that") is mostly
what would need to be done.

Best of luck!

If you're running Windows 2000 Server (which presumably you are if
you're running IIS 5), then you can install MS Certificate Services,
which will allow you to create your own certificates.

If Certificate Services is not already installed, go to Control Panel,
Add Remove Programs, Add/Remove Windows Components, and select
Certificate Services (you'll need all it's subcomponents).

This is how you start...   I'll let a Google researcher answer the
rest of the question in detail, but the only steps left are to create
a certificate and then set it up in IIS.

Most openssl distributions include CA.sh and CA.pl scripts.  They're
effectively the same thing, one in bourne shell, one in perl.  If you
don't have them, you can find them at:
http://web.mit.edu/crypto/share/openssl/misc/

If you have those scripts, it's a 3 step process that's really easy.
First: set up your dummy CA:
CA.sh -newca

Second: create a certificate signing request (CSR):
CA.sh -newreq

Last: sign the CSR with the CA:
CA.sh -sign

The certificate you'll have will have a private key that is password
protected.  You probably don't want that. The private key will be in
the newreq.pem file. Run this command to get rid of the password
protection:
openssl rsa -in newreq.pem -out private.key
Now you have an unencrypted private key in the fila named
"private.key"

Your CA certificate (which you'll want IIS and your web browser to
trust) will be in the demoCA directory under cacert.pem.

Here's another description of how to do all this:
http://www.octaldream.com/~scottm/talks/ssl/opensslca.html

The search terms I used to find that page were: openssl CA.sh

Regards,
Paco

Ok this is cool. People have been very helpful with their comment.
Everything works now beautifully. (Some of the comments are not
visible anymore.) Thank you very much for your help. I am closing this
question now.