I received my postal-mail validation code from StartSSL over the weekend. I got around to confirming my identity on-line (after three tries), and have now made my first "Class 2" certificate with multiple domain names. Of course, now it's on me to get the server configured and tweak everyone to start using SSL for the sites.
The mail took a few days longer than the 5-7 promised, but I put that on the postal carriers, including probably mostly the international travel it needed to do. I understand StartSSL has offices in the US, and they probably would find less expensive and faster throughput if they used in-country post, but they may not have offices in every country for which they do this, and it would probably cause internal management changes that would be considerable.
Not to ruffle feathers, but I'd also like to point out, that as I mentioned before, this merely validates that my address is correct. I know they have their reasons for all of the trouble with the phone numbers that caused me to wait for this postal mail, but now they have proof that I've received mail at an address I provided, with a copy of a photo id with that address, and another photo id with the same name and person (different photo, but obviously the same person if you could see them both) but no address. While in this case I am the person in those photos, their validation process still only confirms the address and posession of two other forms of ID that match. Still, it worked, and I'm now "Class 2" verified.
The message came with a brief note, and a couple of keys to type into their website. I hit the site and entered the key; it's a pretty long, probably random string of ASCII (thanks for that, sincerely) alpha-numeric characters that I double-checked before submitting. I did it again, and then again before it worked. Maybe they're trying to engange some persistence, too, but I was in. The site told me they needed to review my submission one more time and that I'd get a message in some head-shaking amount of time.
A few minutes later I received an e-mail confirming my acceptance.
I started jumping on my first "Class 2" certificate. I'd planned, as I mentioned before, to try to add SSL to some of the virtual hosts on my server. Nothing big to see or protect there, just stuff like this blog (although astute readers will notice this site uses SSL). Mostly it's a way to dork around with SAN certificates and Apache configurations with Server Name Indicator (SNI) in SSL on Apache.
As I started jumping in, I realized that while I had an abstract plan, I didn't have a good concrete one. I wasn't even exactly sure which sub-domains existed for the domains I wanted to do this with. I'm sure not all of them are in use, but I don't know if that should matter. I grabbed three families of domains, two with subdomains, a third just to mess with, and created a certificate request with them in there, and then made the SSL request.
I was told the certificate would need to be reviewed, and that it could take a few days to process.
A few minutes later I received an e-mail confirming the certificate.
I've retreived the certificate and put it on the server. Now I've got to tweak the server's virtual host settings and play with the SNI parts (and remove some old domains that are listed still in the HTTPD configuration file...). I'm hoping to get this done before either the old certificate expires (another impetus for doing all of this), and before StartSSL starts sending me the "we notice you're not using our certificate yet" messages that I've gotten in the past when I took my time implementing them.