To use a crypted Filesystem - you first need to actually create it. I came accross an article showing me how to do it using cryptsetup. Check it out under http://luks.endorphin.org. Note that this is the upcoming standard for filesystem encryption under linux
LUKS was designed according to TKS1, a template design developed in [TKS1] for secure key setup. LUKS closely reassembles the structure recommended in the TKS1 paper, but also adds meta data for cipher setup management and LUKS also supports for multipe keys/passphrases. Why LUKS?
- compatiblity via standardization,
- secure against low entropy attacks,
- support for multiple keys,
- effective passphrase revocation,
- free
For creating the Crypted Filesystem - I assume using the /dev/sda1 device (USB-Drive). Replace all instances of sda1 with the device you require.:

modprobe aes
modprobe dm-crypt
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda1

WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
cryptsetup luksOpen /dev/sda1 cryptfs
Enter LUKS passphrase:
key slot 0 unlocked.

mke2fs -j -m 0 /dev/mapper/cryptfs
[...Formatting informations removed...]
tune2fs -c 0 -i 0 /dev/mapper/cryptfs
mkdir /cryptfs
mount /dev/mapper/cryptfs /cryptfs

This will setup up your crypted Partition and mount it under /cryptfs.
Unmount the Partition and lock the encrypted Filesystem cleanly for security

umount /cryptfs
cryptsetup luksClose cryptfs

and you're done. If you now want to add some more passwords - use cryptsetup to do so:

cryptsetup luksAddKey /dev/sda1
Enter any LUKS passphrase:
key slot 0 unlocked.
Enter new passphrase for key slot:

This added a new passphrase. Remove it using a similar command.

cryptsetup luksDelKey /dev/sda1 1

where 1 is the slot the key was stored in. Make sure you don't erase your master Key ... Would be bad if you couldn't access the encrypted FS anymore.
As I'm lazy to remember all that - I usually write wrapper scripts I use at home for mounting these devices.
Check it out in the donwload section.

Usage:  mount_crypted.sh    
        This Program manipulates crypted partitions

         mount          Mount a crypted partition
         umount         Unmount a crypted partition
         addkey         Add a new access key to the encrypted
         delkey         remove a key from the encrypted - don't use 0
                        Filesystem/Partition. 8 Max.
         new_partition  Create a new encrypted partition
                        * Warning - this will destroy all data on it
         device         Device to work on. e.g. /dev/sda1
         enc_module     Encryption module. Usually aes, or padlock if you have
                        a padlock accellerator chip as found on recent VIA Nemiah CPU's

Examples:
        mount_crypted.sh new_partition /dev/sda1 aes
        mount_crypted.sh mount /dev/sda1 aes
        mount_crypted.sh addkey /dev/sda1
        mount_crypted.sh delkey /dev/sda1 aes 2
        mount_crypted.sh umount /dev/sda1

In case someone screws his partition - and needs a static version - check this static version of cryptsetup out. 

 Display the contents of a certificate:
#openssl x509 -in cert.pem -noout -text

Display the certificate serial number:
#openssl x509 -in cert.pem -noout -serial

Display the certificate subject name:
#openssl x509 -in cert.pem -noout -subject

Display the certificate subject name in RFC2253 form:
#openssl x509 -in cert.pem -noout -subject -nameopt RFC2253

Display the certificate subject name in oneline form on a terminal supporting UTF8:
#openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb

Display the certificate MD5 fingerprint:
#openssl x509 -in cert.pem -noout -fingerprint

Display the certificate SHA1 fingerprint:
#openssl x509 -sha1 -in cert.pem -noout -fingerprint

Convert a certificate from PEM to DER format:
#openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

Convert a certificate to a certificate request:
#openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem

Convert a certificate request into a self signed certificate using extensions for a CA:
#openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem

Sign a certificate request using the CA certificate above and add user certificate extensions:
#openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial

Set a certificate to be trusted for SSL client use and change set its alias to ``Steve's Class 1 CA''
#openssl x509 -in cert.pem -addtrust clientAuth -setalias "Steve's Class 1 CA" -out trust.pem

To convert a certificate from PEM to DER:
#openssl x509 -in input.crt -inform PEM -out output.crt -outform DER

To convert a certificate from DER to PEM: #openssl x509 -in input.crt -inform DER -out output.crt -outform PEM

To convert a key from PEM to DER:
#openssl rsa -in input.key -inform PEM -out output.key -outform DER

To convert a key from DER to PEM:
#openssl rsa -in input.key -inform DER -out output.key -outform PEM  

 First - make sure you have the openssl package installed and have created a local Certification authority.
When talking about fqdn - the Full Qualified Domain Naeme is meant. This - to ensure you find your certificates after - and link them to the right service/site.
After that - create a private key with:

openssl genrsa -aes128 512/1024 > fqdn.key
Generating RSA private key, 512 bit long modulus
......................++++++++++++
....++++++++++++
e is 65537 (0x10001)

This will ask you for a password. If for any reason you don't want a password to be entered every time you want to use the certificate - skip the -aes128 part.
Once the Key created - you need to create a certification request

openssl req -new -key fqdn.key > fqdn.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet Widgits Pty Ltd
Organizational Unit Name (eg, section) []:Demo Certificate Creation
Common Name (eg, YOUR name) []:www.newyork.com
Email Address []:postmaster@newyork.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Make sure the Common Name matches the Full Qualified Domain name of the Service you want to use the certificate for.
Once the request created - you need to let your local CA sign the certificate using:

openssl ca -policy policy_anything -out fqdn.crt -infiles fqdn.csr
[... Loads of stuff removed ...]
Certificate is to be certified until Dec 29 09:29:23 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Now you're done.
If you're looking to create a pem-file - here is a little help for it - used b.e. to create a Key for Cyrus-Imap.

dd if=/dev/urandom of=random.rnd count=1
openssl req -new -x509 -days 365 -nodes -out fqdn.pem -keyout fqdn.pem
openssl gendh -rand random.rnd 512 >> fqdn.pem
openssl x509 -subject -dates -fingerprint -noout -in fqdn.pem

This will generate you a fine certificate for use with cyrus. 

 The easyest way would be to go on it with a web-browser.
However - openssl provides a very nice tool for handling exactly this. Check out the options of:
openssl s_client -connect [IP Address]:PORT

$ openssl s_client -connect www.microsoft.com:443
CONNECTED(00000003)
depth=2 /CN=Microsoft Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=washington/L=Redmond/O=Microsoft/OU=mscom/CN=www.microsoft.com
   i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
   i:/CN=Microsoft Internet Authority
 2 s:/CN=Microsoft Internet Authority
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGJjCCBQ6gAwIBAgIKPuTDHAAEAACvkDANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDgwMjEy
MTgyNTE4WhcNMDkwMjExMTgyNTE4WjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
d2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0
MQ4wDAYDVQQLEwVtc2NvbTEaMBgGA1UEAxMRd3d3Lm1pY3Jvc29mdC5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALbG21smSr8rN+qJ5al2ml5BaPlBnyuK
gN6KOS8TGTde496kil72zBF70sgRhQCERNNAiH0XaNWbDSqXcoxySOQhhW4PJ9P3
OfSNQMBbG+8tVFsyk12cZZSQGK7iE6Wy1mAvsbZ0K1iCvg5DceSDRgc7sggKcVi5
ZyS4wRwIlgI1AgMBAAGjggMkMIIDIDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwIC
AgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsG
CWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYD
VR0OBBYEFIfqPJz0gndqvXIFZOP8H0+b2XKBMB8GA1UdIwQYMBaAFJmPpfcegW/6
ecLwFj+yVLEIaEdVMIIBCgYDVR0fBIIBATCB/jCB+6CB+KCB9YZYaHR0cDovL21z
Y3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2Vj
dXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNybIZWaHR0cDovL2NybC5taWNy
b3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNl
cnZlciUyMEF1dGhvcml0eSg0KS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNy
b3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNCkuY3JsMIG/Bggr
BgEFBQcBAQSBsjCBrzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQu
Y29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0
aG9yaXR5KDQpLmNydDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01p
Y3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcnQwPwYJ
KwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8Lt
hQiOqdKFYwIBZAIBBTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsG
AQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQAztULGfaAxeoGZbbViAVMtaPkMHaoN
wGzhw4ePcWqSvDKnl9yLpbAsl7T+w4bbeJotXCl89Ri+G4Mbfo3wzcDfStM66qcR
zGnEpiESh7cUZhUrxo+Iu+Ptn3pR/ub3uv8/WwF+KK6UUP+uhVMyxPT2LaGWgBSd
9/8qtngpMAbQVKnm4D8uQrcOa4Yqnjk6F2nNFCqd1Fl6yk5vxcfHD0YEcUNnC9SL
yBRmzNKsCh0d6rFaeLDBvkVjPZ7HQkWoJ/JdBBCLRvpE+1CGKVEmj69wK+n5uZ/Z
O46yGLxJwx62Vxdqno2D57R52VRx2c3ec5t5M2HUy6+K5W73BO0+hGKh
-----END CERTIFICATE-----
subject=/C=US/ST=washington/L=Redmond/O=Microsoft/OU=mscom/CN=www.microsoft.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
---
No client certificate CA names sent
---
SSL handshake has read 4078 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 860400006196E94CAEE25E39784C3F1BC2906EDEF26C047F91CB4C6FAB7CC313
    Session-ID-ctx:
    Master-Key: FE88DF3710EE1DBE6A69F841178D9612C7FD24F3B693CBED4FAD0B3866E88DE728F90D8228DB2A3A909A80FA5CDE7F54
    Key-Arg   : None
    Start Time: 1206022615
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

After that - you can get the data as wanted, b.e. GET / HTTP/1.0 with 2xENTER.

here are also options like -no_tls1 and -no_ssl2 that let you specify which version of SSL/TLS that you want to connect with. The -showcerts and -debug options are also very nice - especially if some issue exist with the certificate.  

 There are indeed using openssl:

openssl x509 -in cacert.pem -noout -purpose -subject

will return you an entire bunch of capabilities your certificate works with.

openssl x509 -in cert.pem -noout -purpose -subject
Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
Netscape SSL server : Yes
Netscape SSL server CA : Yes
S/MIME signing : Yes
S/MIME signing CA : Yes
S/MIME encryption : Yes
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
subject= /C=DE/ST=Bayern/L=City/O=OrganizationOU=Home/CN=xxxxxxx.xxxxxxx.xxx/emailAddress=xxxxxxx@xxxxxxxxx.xxx

 The certificate itself is valid. The Certification Authority actually is one I have created myself - so my own certification authority. What is more secure than the key's you have signed yourself ? Even a third party certification authority would not provide me that level of sdecurity.

And the most secure Certificate is actually the one you sign yourself, of course with High-Bit encryption. Check the certificate Details and the CA Details. You'll notice that the same person issued them on this site.

Main reason is I also choosed to sign my key's myself is that for some path's I require a valid client-side certificate - signed by the same CA the WebServer is signed. So - I don't really have a choice. A Verisign Certificate for 1 Server and 1 Client would cost me more than 3000 US$ ... That's defenitly too much for a Hobby.

Note that several Signing authorities have been compromised in the past to start phishing attacks. I had the choice to buy a Cheap Certificate Signing, or do it myself.