Startcom is a free certification authority based in Eilat, Israel which unlike CACert, has it's root certificates bundled with the major browsers and Linux distributions.

Startcom's Class 1 certificates are only valid for 30 days and are domain validated; this is not so helpful. Where Startcom really shines is Class 2 identity validation. Costing 25usd (at the time of writing), Class 2 verification requires you to submit two items of documentation such as driving license and passport. Once verified, Class 2 allows you to create client, server or code signing certificates which are valid for one full year (after which the Class 2 verification needs to be redone).

If verification is not successful, Startcom will post a code via snail mail to the address listed on your documentation. Upon receipt of this, send it via email back to Startcom to complete the process. It appears as though they verify your identity primarily by looking in the telephone directory for your name and address; it would therefore speed the process if this is done in advance of applying for Class 2 verification.

Startcom's root certificate is included with the browsers, but their intermediary CA certificates are not. You will need to install the full certificate chain in your server in order for a client to be able to verify certificates. Instructions for different servers used here are included below.

Generate the private key

openssl genrsa -out domain.sihnon.net.key 1024

Generate the Certificate Signing Request

openssl req -new -key domain.sihnon.net.key -out domain.sihnon.net.csr

Send the CSR to cacert.org, and cat the result into domain.sihnon.net.pem

Set up the server to use the .key and .pem files

Create a certificate bundle, which contains the Intermediate and Root CA certificates

cat sub.class2.server.startcom.crt startcom.crt > sub.class2.server.startcom.bundle.crt

And configure apache to send the bundle along with the certificate

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/$VHOST.sihnon.net.crt
SSLCertificateKeyFile /etc/apache2/ssl/$VHOST.sihnon.net.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.startcom.bundle.crt

As of Apache 2.2.9, mod_ssl supports SNI, which allows multiple name-based virtual hosts to use SSL even on a single IP address.

Compile apache with sni support

    # echo "www-server/apache sni" >> /etc/portage/package.use
    # emerge apache -av

Now, with very little effort, it is possible to set up multiple vhosts with SSL enabled as above and everything should Just Work™

Create the bundle as per the instructions for apache, above, and then configure postfix with the following options

smtpd_tls_key_file = /etc/ssl/smtp.sihnon.net.key
smtpd_tls_cert_file = /etc/ssl/smtp.sihnon.net.crt
smtpd_tls_CAfile = /etc/ssl/sub.class2.server.startcom.bundle.crt

Courier expects the key and the certificate in the same file, along with some Diffie-Hellman parameters

cat domain.sihnon.net.key domain.sihnon.net.pem > domain.sihnon.net.courier.pem
openssl gendh >> domain.sihnon.net.courier.pem

These certificates and corresponding private keys are stored in /home/ben/secure.

• backups.sihnon.net (expires 2011-11-02)
• bugs.sihnon.net (expires 2011-11-02)
• cacti.sihnon.net (expires 2010-04-27)
• code.sihnon.net signing (expires 2010-04-27)
• dev.sihnon.net (expires 2011-11-02)
• imap.sihnon.net (expires 2011-11-02) Alternate names: mail.sihnon.net, smtp.sihnon.net, webmail.sihnon.net
• ldap.sihnon.net (expires 2011-11-02)
• <s>ldap-dev.sihnon.net (expired)</s>
• ldap-slave.sihnon.net (expires 2011-11-02)
• nagios.sihnon.net (expires 2010-04-27)
• river.sihnon.net (expires 2011-11-02)
• saffron.sihnon.net (expires 2011-11-02)
• santo.sihnon.net (expires 2011-11-02)
• vc.sihnon.net (expires 2010-04-27)
• vmware.sihnon.net (expires 2010-02-21)
• vmware-slave.sihnon.net (expires 2010-04-01)
• wiki.sihnon.net (expires 2011-11-02)
• www.sihnon.net (expires 2011-11-02)