Pitfall-Free Howto/Guide to StartCom/StartSSL Class 2 Organization Validation/Certification

...in just three not-so-simple steps.

A couple quick notes before we begin: I threw this article together over a period of weeks, so the layout is a bit... odd. At some point I'll come back to this article and clean it up, however for now, I think it does the job of conveying the process to a new StartSSL user. Also, I use the names "StartCom" and "StartSSL" interchangeably, so don't look any deeper into the name usage than that.

A few weeks ago, I started the process of renewing several StartCom certs for my employer, and started to become familiar with the processes and pitfalls of identity and organization validation with StartCom. After delving into the process head-first, it became evident that this might not be as straight-forward as one might expect. However, I think that once you know what to expect, the process should go much more smoothly.

Also, please note that this how-to merely documents what I did to get a cert, and what pitfalls I ran into along the way. Therefore, your requirements and path may (and probably will) vary from mine. For instance, the tax document I submitted was a "State of Delaware Annual Franchise Tax Report". This document lists all of the items shown on StartCom's requirements. Your document(s) may not.

First, let's understand the steps required in obtaining Class 2 Org validation. Basically, you keep escalating your level of validation, providing increasingly trusted levels of personal and organization documentation as you go. Here's a rough outline:

  • Get Email Address validation with StartSSL (free)
    • Sign up
    • Validate email
    • Get personal client cert (for browser) via website
      • Back it up!!!
  • Get Personal Class 2 validation (~$60)
    • Submit 2 forms of ID
      • 1 Photo ID (i.e.: Driver's license)
      • 1 other form of ID. May be photo (i.e.: Passport), OR non-photo (i.e.: birth certificate)
    • AND submit either:
      • Phone bill showing your name, current address, AND (most importantly) phone number.
        • May be land line or cell

        OR

      • Request for certified mail validation
        • Delivery will take ~2.5 to 5 weeks (from Israel)
          • If expedited service is required, you may additionally request express mail (~4-5 bus. days) for approx $30.
    • Wait for call or letter, and verify provided code on StartSSL website control panel.
  • Get Organization Class 2 validation (~$60)
    • Submit tax document which contains:
      • Name of CEO
      • Names of Directors
      • Co. Address (not sure if this is an actual requirement)
      • Co. Phone number (not sure if this is an actual requirement)
    • AND submit StartSSL's "Delegate Authorization Letter" (https://www.startssl.com/authorization-letter-class2-organizational-validation.pdf) with:
      • Your name, title as delegate
      • Name and signature of CEO, President, or Director (CFO also appears to work. Other C?? titles may suffice)
    • Have your signatory receive a phone call from StartCom to verify your authorization.
  • Validate your domain(s)
    • Perform the "Domain Name Validation" validation wizard for each new or expiring domain
    • Confirm validation using code sent to email
  • Generate Certs
    • Perform the "Web Server SSL / TLS Certificate" certificate wizard
      • Only new/expired certs or certs expiring within 2 weeks may be renewed (when the existing cert is with StartCom)
    • Generate password-protected key / cert pairs
      • Keep that password safe and backed up!
    • Save key to .key file, cert to .crt file (ie, wildcard.mydomain.com.key, wildcard.mydomain.com.crt)
  • Install Certs
    • Decrypt (strip password protection from) key file
    • Place decrypted key and crt files on webserver
    • Configure Apache SSL
    • Reload Apache
    • Verify correct cert in web browser
  • ???
  • PROFIT!!!

And now for the more elaborate explanation:

1) Get your email address set up, and obtain a website authentication certificate. This is free. Go to the Control Panel and click Sign Up. Fill out the forms and submit. Soon you should receive an authentication code via email. You will submit this to the StartCom site, and then wait for another email that has a verification link, which you'll click. Once that's done, you'll get a personal client certificate for your browser. Follow the instructions in the email/website on how to backup this certificate. Don't skip this! Think of this as cert the key to your account. If you lose it, you're likely going to have to a hard time regaining access. Back it up to an external storage medium (perhaps even encrypted as well - TrueCrypt is good for this).

2) Get yourself a Class 2 validation. This will cost you ~$60 (with one potential caveat, described below). This is where things start to get more complex. You'll need two scanned or photographed forms of documentation that prove that you exist, AND a means of verifying that the person submitting the documentation is actually you. For the two forms of identification, one must be a photo ID (afaik), and another can be another photo ID (such as a passport) OR something that simply proves you exist, such as a birth certificate (this is what I used). Submitted photos/scans must be of "high" quality, but less than 1400x1400 resolution. The second half of this, and this is where I got hung up, is the verification that the person submitting the information is YOU. StartCom apparently trusts phone companies, because you "just" need to submit an invoice/bill showing your name, address, and phone number. This can be either a scan/photo or a PDF. This is where I got hung up. My current cell service is not in my name, and I have Ooma VOIP for home phone service, which doesn't do traditional paper or PDF invoicing. Attempts to submit website screenshots, or PDFs of a webpage will likely be rejected. StartCom needs to be able to verify that you own the number you say you do, and then call you at that number to verify that you submitted the request (presumably with a code conveyed by voice, then submitted to the StartCom website). In lieu of a verified phone number, your next/only option is a registered mail letter from StartCom (in Israel). They claim this takes 3-5 business days. That may be true if you lived in Israel. I live in the US. Internet rumor has it that this letter takes ~5 weeks to get to the US destinations. I'll see if one of my letters end up taking this long (see update below... took ~2 weeks). The alternative is to request express mail delivery, which costs ~$30. This will take approximately 4-5 business days. I opted for this to expedite the process. Once you receive the letter, it will contain a code which you submit via the StartCom website control panel. Shortly after, StartCom should send you confirmation that you have been personally Class 2 verified.

3) Get your Organization Class 2 verified (another ~$60). This part is still in progress for me. I will be updating as I go along. First step appears (at least for now) that I have to obtain a yet-to-be-identified tax document from our finance/accounting department that proves that our company is recognized to exist by either the State or the US. Also, it's not clear if I, as an employee of the company, can submit the tax documentation and as a result get access to create these certs, OR do I also need to submit an authorization form that delegates me to make cert changes on behalf of the company. Sure would be nice if StartCom would clear some of this up on their website, or at least on their forums.

More on this as the mystery unfolds...

Update 5/28: A few updates

  • Today I received my initially-requested snail-mail letter from StartCom. The letter was requested late on the 10th, so that means it takes 14-16 postal days (Mon-Sat) to get to Minneapolis, MN. But of course, YMMV.
  • In the case of my company, the tax document used was a Delaware Annual Franchise Tax Report (as the company is incorporated in Delaware). Your document will almost surely be different. My recommendation is to ask your accountant or executive for a copy of the Articles of Incorporation applicable to your state.
  • Unless you are the CEO, President, or a Director of the company/org you are applying for, you'll need to fill out the  StartSSL Delegate Authorization Letter, printed on company letterhead, and have one of the aforementioned individuals sign it. Currently I'm attempting to use our CFO's signature to see if that is sufficient. If not, I'll be going to CEO to get the required signature.

Update 6/4: Eventually I got a signature from our CFO. I submitted the document to StartCom, and within a few hours I got an email back they they were unable to reach anyone at the listed office number. Presumably they tried to contact our CFO. I asked them to try again, and soon after got an email stating that the Class 2 Org Validation is complete! Once that was done, I was able to log into the StartCom control panel and perform Domain Name Validation(s) for each of our domains. It appears they offer a number of hostmaster/postmaster addresses as options to send a validation email to your domain. In addition to our other TLD's, they offered hostmaster@our_main_domain.com. Not sure how they linked them to our main corporate domain (possibly public WHOIS data), but they did. Up next, cert generation!...

Update 6/7: This ended up being the most straightforward process of the entire adventure. In my case, the web service in use was Apache. This process will likely vary for an MS-based/IIS server. Once your domain(s) is/are validated, you can go back into the StartSSL control panel, go the the certificates wizard, and select "Web Server SSL/TLS Certificate". Set a password for you keyfile and generate the key. Keep good tabs on this password as it's what decrypts your private key for use on your webserver. Save the resulting key text out to a file named something like "wildcard.mydomain.com.key". Continue on and select your domain, and enter/add your subdomain(s) or subdomain wildcards as needed (see notes below regarding restrictions). Once the cert is generated, save the text into a file named something like "wildcard.mydomain.com.crt". Keep these files safe and backed up!

A few other notes related to this: Note that a subdomain wildcard only applies to the level of that wildcard. So for instance, *.mydomain.com would cover test.mydomain.com, byt not test1.test2.mydomain.com. For that, you need to specify wildcards for each recursive level, ie *.test2.mydomain.com. Also note that domains that still have active StartSSL certs (or are not expiring within 2 weeks) are not able to be renewed. If you must renew them, you must revoke the existing cert, which costs approx $25. Be aware that you could still generate certs for individual specific (sub)domains instead to avoid going through the revocation process.

You can now proceed to install the cert on your webserver, however note that hte .key file is password protected/encrypted. You must strip the password in order to allow your web service to start up unattended. Here's a quick command to do that:

openssl rsa -in wildcard.mydomain.com.key > wildcard.mydomain.com.decrypted.key

You can then take the decrypted key and use it in your Apache config. Please note however that you must take care to restrict access to your server so that your private key is not copied by unauthorized persons. They alternative to this is to leave password protection on, but intervene manually by entering in the password each time Apache is (re)started.
So there you have it! At some point I'll probably come back to this article and clean it up. For now, I just wanted to get the information out there to help my fellow interweb users. Good luck!