Howto set up SSL with a real certificate from CaCert on Linux

This Howto describes setting up SSL certificates on a SuSE linux box, it may be helpful for most other linuxes as well.
It assumes that you want to:

Essentially you run a root server, want to get rid of the browser warnings for your users and prefer it free (beer+speech). This Howto does not explain how to self-sign a certificate, we think CAcert is better than self-signing and almost as simple.

Steps:
(Note: in all steps replace "example.com" with your own domain!)

  1. Surf to CAcert and create an account and log in
  2. On CAcert, add your domain (e.g. example.com)
  3. On your linux box, generate a Certificate Signing Request (CSR)
    1. as root, go to directory /etc/ssl
    2. make a new directory (call it like your domain), make that chmod 0700
    3. cd into that directory and run
      openssl req -nodes -new -keyout private.key -out server.csr
      IMPORTANT: your Common Name MUST look like *.example.com (use your own domain), the other fields are more or less optional
  4. On CAcert, make a new Server Certifiate, into the box paste the contents of the server.csr file
  5. your certificate will get mailed back to you, store it in a file called server.crt (in /etc/ssl/example.com)
  6. In your httpd.conf, add/edit the lines:
    SSLCertificateFile /etc/ssl/example.com/server.crt
    SSLCertificateKeyFile /etc/ssl/example.com/private.key
  7. now restart apache and check your logs to see if everything went ok
  8. your browser clients will still complain, because they do not have the CAcert root certificate (your certification authority) installed, to fix this, tell all your users to surf to: http://wiki.cacert.org/ImportRootCert and follow the instruction. They have instructions for other OSs and browsers too.
  9. If you use stunnel for pop and imap do the following:
    1. in /etc/ssl/example.com: cp private.key stunnel.pem
    2. in /etc/ssl/example.com: cat server.crt >> stunnel.pem
    3. in /etc/ssl/certs:
      wget http://www.cacert.org/certs/root.crt -O cacert.pem
      add a hash softlink for the cacert.pem:
      openssl x509 -noout -hash -in cacert.pem
      this will give you a hash value, create a softlink (with appended .0):
      ln -s cacert.pem hashvalue.0
    4. add the following lines to your /etc/stunnel/stunnel.conf:
      CApath = /etc/ssl/certs
      CAfile = /etc/ssl/certs/cacert.pem
      # our private and signed certificate
      cert = /etc/ssl/example.com/stunnel.pem
      key = /etc/ssl/example.com/stunnel.pem
    5. if you start your stunnel in a chroot jail, you have to edit the startup script /etc/init.d/stunnel so it copies all the certificate files mentioned in stunnel.conf to your chroot dir (/var/lib/stunnel)
Done!