If you want to secure your site with a certificate that you obtained from a third party for one or more aliases of your site (like example.com and/or www.example.com), that's very straightforward. You will typically need three things, each in PEM format:
- A private key (usually generated by you)
- A matching certificate (generated by the certificate authority)
- One or more intermediate ("chain") certificates (provided by the certificate authority, possibly as a choice of several with the expectation that you will magically know which one is correct)
First, you can set it up from our website. To do that:
- Go to the Site Information panel for your site.
- Select the "Upload TLS Files" action in the Action Box.
- Paste the PEM-format key, certificate, and intermediate certificates into the text box.
- Select the "Set TLS" button.
Alternatively, you can set it up from the command line. To do that:
- Make sure all three files are present on your site.
- Run a command similar to: cat privkey.pem cert.pem chain.pem | nfsn -i set-tls
In either case, you will see the results of processing the files you submit, and if the processing is successful, it will take effect within about 5 minutes. Applying TLS files is done on a per-alias basis, so if you have multiple aliases secured by different certificates, that is no problem and they will not overwrite each other.
It's also fine if you include extra intermediate certificates or put things in the wrong order; unlike humans, our system can read the files, and will do its best to figure it out for you and assemble (only) the proper ones in the proper order to get things working.
If you need to generate a key and CSR to get a certificate from a third-party certificate authority, you can do that from the command line:
- Generate a key by running a command similar to the following:
- openssl genrsa -out /home/protected/ssl/www.example.com.key 2048
- Generate a certificate signing request (CSR) from your key, by running a command similar to the following:
- openssl req -new -sha256 -key www.example.com.key -out www.example.com.csr
- Using your CSR, obtain a certificate for your site from the certificate authority of your choice.