Howto set up SSL with a real certificate from CaCert on Linux

This Howto describes setting up SSL certificates on a SuSE linux box, it may be helpful for most other linuxes as well.
It assumes that you want to:

want a real (signed) SSL certificate
for free
are not too picky about security (we will not use a passphrase for the private key, so if your server is hacked your key may be stolen)

Essentially you run a root server, want to get rid of the browser warnings for your users and prefer it free (beer+speech). This Howto does not explain how to self-sign a certificate, we think CAcert is better than self-signing and almost as simple.

Steps:
(Note: in all steps replace "example.com" with your own domain!)

Surf to CAcert and create an account and log in
On CAcert, add your domain (e.g. example.com)
On your linux box, generate a Certificate Signing Request (CSR)
1. as root, go to directory /etc/ssl
2. make a new directory (call it like your domain), make that chmod 0700
3. cd into that directory and run
  openssl req -nodes -new -keyout private.key -out server.csr
  IMPORTANT: your Common Name MUST look like *.example.com (use your own domain), the other fields are more or less optional
On CAcert, make a new Server Certifiate, into the box paste the contents of the server.csr file
your certificate will get mailed back to you, store it in a file called server.crt (in /etc/ssl/example.com)
In your httpd.conf, add/edit the lines:
SSLCertificateFile /etc/ssl/example.com/server.crt
SSLCertificateKeyFile /etc/ssl/example.com/private.key
now restart apache and check your logs to see if everything went ok
your browser clients will still complain, because they do not have the CAcert root certificate (your certification authority) installed, to fix this, tell all your users to surf to: http://wiki.cacert.org/ImportRootCert and follow the instruction. They have instructions for other OSs and browsers too.
If you use stunnel for pop and imap do the following:
1. in /etc/ssl/example.com: cp private.key stunnel.pem
2. in /etc/ssl/example.com: cat server.crt >> stunnel.pem
3. in /etc/ssl/certs:
  wget http://www.cacert.org/certs/root.crt -O cacert.pem
  add a hash softlink for the cacert.pem:
  openssl x509 -noout -hash -in cacert.pem
  this will give you a hash value, create a softlink (with appended .0):
  ln -s cacert.pem hashvalue.0
4. add the following lines to your /etc/stunnel/stunnel.conf:
  CApath = /etc/ssl/certs CAfile = /etc/ssl/certs/cacert.pem # our private and signed certificate cert = /etc/ssl/example.com/stunnel.pem key = /etc/ssl/example.com/stunnel.pem
5. if you start your stunnel in a chroot jail, you have to edit the startup script /etc/init.d/stunnel so it copies all the certificate files mentioned in stunnel.conf to your chroot dir (/var/lib/stunnel)

Done!