In the news that comes from Iran, you hear that Iran has succeeded in making fake ssl certificates, so that they can find people's gmail account credentials.
Some analysts are saying this is possible but difficult, I wonder why it's difficult, where does the difficulty lie in, why can't your ISP do that to you?
Let me explain via a practical example.
There are a set of Certificate Authorities (CAs) that browsers implicitly trust. You can see the list of trusted CAs in your browser. For eg. the CAs trusted by Chrome browser can be found at "Wrench Menu > Preferences > Under the Hood > HTTPS/SSL (Manage Certificates) > Authorities tab".
So, the certificate that mail.google.com presents to your browser is 'signed' by Thawte SGC CA. This CA is implicitly trusted by the browser. These CAs will issue certificates only after thorough (and manual) verification.
You and I cannot trick Thawte or Verisign to sign us a fake certificate for google. Although such cases do happen but are rare and mostly require some insider help.
Now, on your own machine, you can go ahead and create certificates stating them to be of google.com. But these certs are 'self-signed' and will not be trusted by browser because the CA (you) are not in its trusted certificates list. In this case, browser will show you the certificate warning.
So, now to answer your question, there are a couple ways in which spoofed certificates are created (or made to work):
Just as I mentioned above, a person can trick a CA (which is trusted by browser) to issue you a certificate for a site which doesn't belong to you. For this reason people often manually remove trusted CAs from their list. God know what procedures does that CA in that never-heard-of country follows. I've seen paranoid people removing CAs from browsers trusted list.
The CA gets hacked (or is made to issue fake certs). In such a case you can issue certs at your will. Not to mention, such CAs immediately go out of business once this is found.
You can also have a fake "self-signed" certificate of google.com and still manage to bypass the browser security check if you explicitly add your own CA to browser's trusted list. Companies can do it. I've seen (and worked at) companies where they openly do it for "Compliance reasons". Since your desktop machines are in their control, they install their own CA to your browser's trusted store and present a fake gmail cert to the browser - which browser trusts and they happily intercep ALL your conversations/emails.
In all the cases - what do you get by faking a certificate: You can MITM (Man in the middle) the server and the users computer and decrypt the SSL session.
I've left many finer nuances of certificate creation in my description above to present a broad picture. You can read about Cert Patrol and perspectives to see how you can prevent falling a victim of a fake certificate even if its CA is in browsers trusted list.
You can also read about certificate pinning which can help prevent such certificate hijacks.
It isn't technically difficult to create an SSL certificate for anything you please; that part is trivial.
The hard part is that you need it signed by, or signed by something authorised and signed by, one of the trusted set of root certificates that, for example, your web browser contains.
Those belong to the various certificate authorities, and are protected by strong cryptographic authentication meaning that it is computationally impractical for someone to create a certificate that will be trusted by your browser without access to secret material the the certificate authority protects.
So, the trick isn't making the certificate, it is getting someone to trust it.
Also, you might take a look at the article about Digi Notar, there was some stir last year after they had a breach and distributed fake certificates. The issue with these, is that computers are built to trust certificates by qualified CAs, so if you can get a certificate it is hard to ensure that every computer across the globe sees that it's revoked.
