I got a certfile.pem and a keyfile.pem located in ${serverroot}/etc/certs/, but I think there should be a ca.pem, too. What is it?
Its the certificate for the certificate authority e.g. Verisign - the body who says that your certificate is genuine.
Do I have to generate it? And if yes, do you happen to know how I can do it?
You should find the https connection is working but that your browser complains about the certificate because it can't validate it. This is not a problem for testing and staging although you can generate your own ca.pem if you want. Look at http://www.openssl.org/docs/HOWTO/ or google for ca.pem.
On a live server you'll need to buy a certificate from a CA - we use SureSSL http://www.suressl.com/ who are dirt cheap and it works very well (look at https://www.fancydress.com to see it in action - AOLS 4, OpenACS 5.x and nsopenssl 3). If you do go down this route you'll need to follow the instructions from the CA as you'll need to generate a request file which you forward to them. They use this to generate the certificates which you install on your server.
- Steve