We get our SSL certs from startcom via a level2 personal validation.

Certs cover:

servername.country.afternet.org
*.afternet.org
afternet.org (built in by startcom)

Then you decrypt the key:

openssl rsa -in ssl.key -out ssl.key

Then they must be combined into a .pem file:

cat server.key server.crt startcom-ca-bundle.pem startcom-ca.pem > ircd.pem

cat server.key server.crt startcom-sub.class2.server.ca.pem > ircd.pem

• gnutls defaults to accepting only 16 intermediary certs, and the startcom intermediary bundle has 18, so it breaks. We really only need the one class2 sub cert, so we switched to that.
• The ca cert is not needed and causes a warning (self signed certificate in chain) in some cases, so removed that.