====== Startcom ======
===== Overview =====
Startcom is a free certification authority based in Eilat, Israel which unlike CACert, has it's root certificates bundled with the major browsers and Linux distributions.
Startcom's Class 1 certificates are only valid for 30 days and are domain validated; this is not so helpful. Where Startcom really shines is Class 2 identity validation. Costing 25usd (at the time of writing), Class 2 verification requires you to submit two items of documentation such as driving license and passport. Once verified, Class 2 allows you to create client, server or code signing certificates which are valid for one full year (after which the Class 2 verification needs to be redone).
If verification is not successful, Startcom will post a code via snail mail to the address listed on your documentation. Upon receipt of this, send it via email back to Startcom to complete the process. It appears as though they verify your identity primarily by looking in the telephone directory for your name and address; it would therefore speed the process if this is done in advance of applying for Class 2 verification.
Startcom's root certificate is included with the browsers, but their intermediary CA certificates are not. You will need to install the full certificate chain in your server in order for a client to be able to verify certificates. Instructions for different servers used here are included below.
===== Startcom.org Certificates =====
Generate the private key
openssl genrsa -out domain.sihnon.net.key 1024
Generate the Certificate Signing Request
openssl req -new -key domain.sihnon.net.key -out domain.sihnon.net.csr
Send the CSR to cacert.org, and cat the result into domain.sihnon.net.pem
Set up the server to use the .key and .pem files
===== Using certificates in apache =====
Create a certificate bundle, which contains the Intermediate and Root CA certificates
cat sub.class2.server.startcom.crt startcom.crt > sub.class2.server.startcom.bundle.crt
And configure apache to send the bundle along with the certificate
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/$VHOST.sihnon.net.crt
SSLCertificateKeyFile /etc/apache2/ssl/$VHOST.sihnon.net.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.startcom.bundle.crt
==== Server Name Indication ====
As of Apache 2.2.9, mod_ssl supports SNI, which allows multiple name-based virtual hosts to use SSL even on a single IP address.
Compile apache with sni support
# echo "www-server/apache sni" >> /etc/portage/package.use
# emerge apache -av
Now, with very little effort, it is possible to set up multiple vhosts with SSL enabled as above and everything should Just Work™
===== Using certificates in postfix =====
Create the bundle as per the instructions for apache, above, and then configure postfix with the following options
smtpd_tls_key_file = /etc/ssl/smtp.sihnon.net.key
smtpd_tls_cert_file = /etc/ssl/smtp.sihnon.net.crt
smtpd_tls_CAfile = /etc/ssl/sub.class2.server.startcom.bundle.crt
===== Using certificates in courier-imap =====
Courier expects the key and the certificate in the same file, along with some Diffie-Hellman parameters
cat domain.sihnon.net.key domain.sihnon.net.pem > domain.sihnon.net.courier.pem
openssl gendh >> domain.sihnon.net.courier.pem
===== Certificates issued by startcom =====
These certificates and corresponding private keys are stored in ''/home/ben/secure''.
* backups.sihnon.net (expires 2011-11-02)
* bugs.sihnon.net (expires 2011-11-02)
* cacti.sihnon.net (expires 2010-04-27)
* code.sihnon.net [[code|signing]] (expires 2010-04-27)
* dev.sihnon.net (expires 2011-11-02)
* imap.sihnon.net (expires 2011-11-02) [[DNS|Alternate names: mail.sihnon.net, smtp.sihnon.net, webmail.sihnon.net]]
* ldap.sihnon.net (expires 2011-11-02)
* ldap-dev.sihnon.net (expired)
* ldap-slave.sihnon.net (expires 2011-11-02)
* nagios.sihnon.net (expires 2010-04-27)
* river.sihnon.net (expires 2011-11-02)
* saffron.sihnon.net (expires 2011-11-02)
* santo.sihnon.net (expires 2011-11-02)
* vc.sihnon.net (expires 2010-04-27)
* vmware.sihnon.net (expires 2010-02-21)
* vmware-slave.sihnon.net (expires 2010-04-01)
* wiki.sihnon.net (expires 2011-11-02)
* www.sihnon.net (expires 2011-11-02)