You need four different files referenced in your default-ssl file for your StartSSL certificate to work.
[Note: I reference both StartSLL and StartCom in what follows -- obviously, they are the same entity.]Some Background
First, StartSLL seems to install a private key into your browser during the initial setup, and encourarges you to back up this file, which Firefox (and likely other browsers) will store as a .p12 file. However, this file IS NOT your private key for your certifcates -- rather, it is YOUR PERSONAL PRIVATE KEY FOR SECURE EMAIL (such as S/MIME). Thus, it is NOT the private key you want to install in Apache, and, at least in my case, I did NOT have to convert any .p12 files to .pem files.
So, you're probably using the wrong key file. I'll get to that in a moment.
Second, a little more background: The "standards" for file extensions for SSL-related files are rather "loose". A lot of folks use .pem for everything. I prefer and recommend using the following extensions: .csr, .pem, and .key. .csr is for certificate signing requests, and .key is for private keys (technically, just a .pem file with only one, private key). .pem files are generally for certificates, but technically they are a container format, meaning they can hold multiple items, typically public keys and certificates (including entire certificate chains). (For more about this, see http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
.)Some Ideas on How to Fix You Problem
First, here are the four relevant lines from my default-ssl file (with myhost.myserver.com replacing my actual server):
The latter two files you download from StartCom's website (links are provided here: http://www.startssl.com/?app=21
The second file, that is, SSLCertificateKeyFile, is the key file that was generated when youy created your certificate signing request that you pasted into StartCom's website. You probably ran a command like the following to generate the .csr file:
openssl req -nodes -newkey rsa:2048 -keyout myhost.myserver.com.key -out myhost.myserver.csr
It is this .key file -- the option to the -keyout parameter -- that is the private key for the server certificate you obtained from StartCom. Thus, and in other words, STARTCOM NEVER GETS THE PRIVATE KEY FOR YOUR CERTIFICATE, ONLY YOU HAVE IT (which is sort of the point, no?
If for some reason or somehow you didn't run a command like the one above, or deleted the .key file, can't find it, or whatever, you can simply revoke your existing server certificate and create a new one, this time being sure to hang on to the private key.
Lastly, the first file, SSLCertificateFile, is simply the server certificate issued to you by StartCom, which you obtain with the "Retrieve Certificate" option in their Toolbox (or whatnot). IIRC, you have to cut and paste the certificate. Simply copy the certificate to your clipboard. Then, paste into a new text document in your text editor of choice, and save it as a plain text file called myhost.myserver.com.pem.
I believe that if you get these four files setup correctly, and your default-ssl file adjusted accordingly, you should be good to go. As it stands now, it looks like you're trying to use just the .pem certificate for three of the four required configuration options, and, as you observed, that won't work. Apache cannot decrypt the certificate without the private key file (myhost.myserver.com.key), and without the certificate of authority file (startcom-ca.pem) and the certificate chain file (sub.class1.server.ca.pem), Apache cannot send the public keys embedded within these files to the web/mobile clients for them to be able to validate the authenticite of both StartCom itself and the entire certificate chain. Thus, at the moment, the only Apache configuration you appear to have correct is your server certificate itself (what I'm calling myhost.myserver.com.pem here, what you called StartSSL.pem).
Hope this helps.
Given fox's comment, it might be best to continue this via email. Feel free to email me at (dm at-sign dougmorse period org) and I'll try to help as best I can.
IvanRaide wrote:Seeing the above working for morsedl I decided to try it as well (but am much less qualified I believe to actually accomplish it).
I got an express cert from StartSLL, which was a p12 file. I noticed that all the apache2 ssl settings required pem files in the examples above, so I ran the following...
openssl pkcs12 -in StartSSL.p12 -out StartSSL.pem -nodes