Startcom is a free certification authority based in Eilat, Israel which unlike CACert, has it's root certificates bundled with the major browsers and Linux distributions.
Startcom's Class 1 certificates are only valid for 30 days and are domain validated; this is not so helpful. Where Startcom really shines is Class 2 identity validation. Costing 25usd (at the time of writing), Class 2 verification requires you to submit two items of documentation such as driving license and passport. Once verified, Class 2 allows you to create client, server or code signing certificates which are valid for one full year (after which the Class 2 verification needs to be redone).
If verification is not successful, Startcom will post a code via snail mail to the address listed on your documentation. Upon receipt of this, send it via email back to Startcom to complete the process. It appears as though they verify your identity primarily by looking in the telephone directory for your name and address; it would therefore speed the process if this is done in advance of applying for Class 2 verification.
Startcom's root certificate is included with the browsers, but their intermediary CA certificates are not. You will need to install the full certificate chain in your server in order for a client to be able to verify certificates. Instructions for different servers used here are included below.
Generate the private key
openssl genrsa -out domain.sihnon.net.key 1024
Generate the Certificate Signing Request
openssl req -new -key domain.sihnon.net.key -out domain.sihnon.net.csr
Send the CSR to cacert.org, and cat the result into domain.sihnon.net.pem
Set up the server to use the .key and .pem files
Create a certificate bundle, which contains the Intermediate and Root CA certificates
cat sub.class2.server.startcom.crt startcom.crt > sub.class2.server.startcom.bundle.crt
And configure apache to send the bundle along with the certificate
SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl/$VHOST.sihnon.net.crt SSLCertificateKeyFile /etc/apache2/ssl/$VHOST.sihnon.net.key SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.startcom.bundle.crt
As of Apache 2.2.9, mod_ssl supports SNI, which allows multiple name-based virtual hosts to use SSL even on a single IP address.
Compile apache with sni support
# echo "www-server/apache sni" >> /etc/portage/package.use # emerge apache -av
Now, with very little effort, it is possible to set up multiple vhosts with SSL enabled as above and everything should Just Work™
Create the bundle as per the instructions for apache, above, and then configure postfix with the following options
smtpd_tls_key_file = /etc/ssl/smtp.sihnon.net.key smtpd_tls_cert_file = /etc/ssl/smtp.sihnon.net.crt smtpd_tls_CAfile = /etc/ssl/sub.class2.server.startcom.bundle.crt
Courier expects the key and the certificate in the same file, along with some Diffie-Hellman parameters
cat domain.sihnon.net.key domain.sihnon.net.pem > domain.sihnon.net.courier.pem openssl gendh >> domain.sihnon.net.courier.pem
These certificates and corresponding private keys are stored in