Get an A+ in Qualys SSL Labs

I got a secure certificate from StartSSL which is completely free. This has the advantage that it is a fully validated certificate so you will no longer get those warning messages from browsers.
I used a 2048 bit key which seems perfectly fine or you can get a 4096 bit key. The certificate is limited to one sub domain which would normally be www.

Edit /etc/apache2/sites-enabled/default-ssl.conf and add the following.

This disables older protocol versions, turns off compression and forces the use of the best cipher suite first and the clients will use the first one they support in the list.

SSL TLS Deployment Guide