I never used CAcert, so the following is not guaranteed to work.
CAcert is just another Certification Authority, and in order to obtain server/service certificates, you need to generate a
.csr-file (i.e. a
Certificate Signing Request) and upload it to CAcert.
I would generate it using OpenSSL, however the link given above shows other options.
Code:
# create a server.csr using a private key that is saved by password
$ openssl genrsa -aes256 -out server.key 2048
$ openssl req -new -key server.key -out server.csr
# create a service.csr using a private key without password protection
$ openssl genrsa -out service.key 2048
$ openssl req -new -key service.key -out service.csr
The
.key files are your private keys, and I guess these are what you are looking for.
I usually create a generic
server.csr, for the second-level domain, e.g. CN=mydom.net, and a
service.csr for wildcard third-level domains CN=*.mydom.net. Then respective
.crt-files obtained from the CA are then
server.crt, and
service.crt.
Note that
service.crt is valid for all of the sub-domains, e.g.
www.mydom.net, mail.mydom.net, svn.mydom.net, etc, while
server.crt is only valid for the exact domain that has been entered as Common Name (CN). This is my habit and not even a recommendation. Make only sure that the CN matches your domains, either exactly or by utilizing wildcards, otherwise the clients will error-out.
In any case, you need to store the certificate of the CA, either that of CAcert, or the one of your own CA into the certificate store of your clients. And once your arrived at that point, there is technically no difference at all, whether you obtained the certificates by your own CA authority or by CAcert.
Nowadays, I tend to trust only my own CAs and certificates. My whole life, I laughed about the tin foil heads, however, for the time being, I started to be more careful, especially after General Alexander stated that the NSA is happily doing everything what is technically feasible (because everybody else is doing it also). CAcert is based in Australia, which is one of the preferred partners of the NSA, and for sure it is technically feasible to compromise the certificate chain by the way of manipulating the Certification Authority.