Startcom is a free certification authority based in Eilat, Israel which unlike CACert, has it's root certificates bundled with the major browsers and Linux distributions.

Startcom's Class 1 certificates are only valid for 30 days and are domain validated; this is not so helpful. Where Startcom really shines is Class 2 identity validation. Costing 25usd (at the time of writing), Class 2 verification requires you to submit two items of documentation such as driving license and passport. Once verified, Class 2 allows you to create client, server or code signing certificates which are valid for one full year (after which the Class 2 verification needs to be redone).

If verification is not successful, Startcom will post a code via snail mail to the address listed on your documentation. Upon receipt of this, send it via email back to Startcom to complete the process. It appears as though they verify your identity primarily by looking in the telephone directory for your name and address; it would therefore speed the process if this is done in advance of applying for Class 2 verification.

Startcom's root certificate is included with the browsers, but their intermediary CA certificates are not. You will need to install the full certificate chain in your server in order for a client to be able to verify certificates. Instructions for different servers used here are included below.

Generate the private key

openssl genrsa -out domain.sihnon.net.key 1024

Generate the Certificate Signing Request <source lang=“bash”> openssl req -new -key domain.sihnon.net.key -out domain.sihnon.net.csr </source>

Send the CSR to cacert.org, and cat the result into domain.sihnon.net.pem

Set up the server to use the .key and .pem files

Create a certificate bundle, which contains the Intermediate and Root CA certificates <source lang=“bash”> cat sub.class2.server.startcom.crt startcom.crt > sub.class2.server.startcom.bundle.crt </source>

And configure apache to send the bundle along with the certificate <source lang=“apache”> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl/$VHOST.sihnon.net.crt SSLCertificateKeyFile /etc/apache2/ssl/$VHOST.sihnon.net.key SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.startcom.bundle.crt </source>

As of Apache 2.2.9, mod_ssl supports SNI, which allows multiple name-based virtual hosts to use SSL even on a single IP address.

Compile apache with sni support <source lang=“bash”>

  # echo "www-server/apache sni" >> /etc/portage/package.use
  # emerge apache -av

</source>

Now, with very little effort, it is possible to set up multiple vhosts with SSL enabled as above and everything should Just Work&trade;

Create the bundle as per the instructions for apache, above, and then configure postfix with the following options <source lang=“text”> smtpd_tls_key_file = /etc/ssl/smtp.sihnon.net.key smtpd_tls_cert_file = /etc/ssl/smtp.sihnon.net.crt smtpd_tls_CAfile = /etc/ssl/sub.class2.server.startcom.bundle.crt </source>

Courier expects the key and the certificate in the same file, along with some Diffie-Hellman parameters <source lang=“bash”> cat domain.sihnon.net.key domain.sihnon.net.pem > domain.sihnon.net.courier.pem openssl gendh » domain.sihnon.net.courier.pem </source>

These certificates and corresponding private keys are stored in <tt>/home/ben/secure</tt>.

• backups.sihnon.net (expires 2011-11-02)
• bugs.sihnon.net (expires 2011-11-02)
• cacti.sihnon.net (expires 2010-04-27)
• code.sihnon.net signing (expires 2010-04-27)
• dev.sihnon.net (expires 2011-11-02)
• imap.sihnon.net (expires 2011-11-02) Alternate names: mail.sihnon.net, smtp.sihnon.net, webmail.sihnon.net
• ldap.sihnon.net (expires 2011-11-02)
• <s>ldap-dev.sihnon.net (expired)</s>
• ldap-slave.sihnon.net (expires 2011-11-02)
• nagios.sihnon.net (expires 2010-04-27)
• river.sihnon.net (expires 2011-11-02)
• saffron.sihnon.net (expires 2011-11-02)
• santo.sihnon.net (expires 2011-11-02)
• vc.sihnon.net (expires 2010-04-27)
• vmware.sihnon.net (expires 2010-02-21)
• vmware-slave.sihnon.net (expires 2010-04-01)
• wiki.sihnon.net (expires 2011-11-02)
• www.sihnon.net (expires 2011-11-02)