diff --git a/tools/genssl.in b/tools/genssl.in
index fbdd7014..f89913d2 100755
--- a/tools/genssl.in
+++ b/tools/genssl.in
@@ -3,8 +3,11 @@ prefix="@prefix@"
 exec_prefix="@exec_prefix@"
 sysconfdir="@sysconfdir@"
 
-echo "Generating self-signed certificate .. "
-openssl req -x509 -nodes -newkey rsa:1024 -keyout "${sysconfdir}"/ssl.key -out "${sysconfdir}"/ssl.cert
+echo "Generating private key and CSR... "
+openssl req -new -newkey rsa:2048 -nodes -sha512 -out "${sysconfdir}"/ssl.csr -keyout "${sysconfdir}"/ssl.key
+
+echo "Self-signing certificate..."
+openssl x509 -req -sha512 -days 365 -in "${sysconfdir}"/ssl.csr -signkey "${sysconfdir}"/ssl.key -out "${sysconfdir}"/ssl.pem
 
 echo "Generating Diffie-Hellman file for secure SSL/TLS negotiation .. "
 openssl dhparam -out "${sysconfdir}"/dh.pem 2048
@@ -22,8 +25,13 @@ cat <<EOF
 Now change these lines in the IRCd config file:
 
     ssl_private_key = "${relative_sysconfdir}/ssl.key";
-    ssl_cert = "${relative_sysconfdir}/ssl.cert";
+    ssl_cert = "${relative_sysconfdir}/ssl.pem";
     ssl_dh_params = "${relative_sysconfdir}/dh.pem";
 
+If you want to get your certificate signed by a certificate authority,
+submit the ssl.csr file to your CA, then replace ssl.pem with the
+certificate returned to you. You may need to include your CA's
+intermediate certificates in signing order.
+
 Enjoy using ssl.
 EOF