A couple of notes to self:

• Creating a CSR (the short version)
• How do I generate a certificate request? (more detailed if you want to change RSA key lengths which I would recommend)
• Contents of .pem file for Stunnel

The latter is especially important if one fails to grasp how to turn the private key plus the certificate into the .pem for Stunnel. By the way, I was using CAcert. That works just fine for internal email servers.