Frequently Asked Questions

The NearlyFreeSpeech.NET FAQ (*)

Our Service (*)

Q. How do I set up TLS using my own key and a third-party certificate?

If you want to secure your site with a certificate that you obtained from a third party for one or more aliases of your site (like and/or, that's very straightforward. You will typically need three things, each in PEM format:

These will typically be provided in PEM format, frequently with one file for each item. Once you have all three things, there are two very different ways to load them into our system.

First, you can set it up from our website. To do that:

  1. Go to the Site Information panel for your site.
  2. Select the "Upload TLS Files" action in the Action Box.
  3. Paste the PEM-format key, certificate, and intermediate certificates into the text box.
  4. Select the "Set TLS" button.

Alternatively, you can set it up from the command line. To do that:

  1. Make sure all three files are present on your site.
  2. Run a command similar to: cat privkey.pem cert.pem chain.pem | nfsn -i set-tls

In either case, you will see the results of processing the files you submit, and if the processing is successful, it will take effect within about 5 minutes. Applying TLS files is done on a per-alias basis, so if you have multiple aliases secured by different certificates, that is no problem and they will not overwrite each other.

It's also fine if you include extra intermediate certificates or put things in the wrong order; unlike humans, our system can read the files, and will do its best to figure it out for you and assemble (only) the proper ones in the proper order to get things working.

If you need to generate a key and CSR to get a certificate from a third-party certificate authority, you can do that from the command line:

  1. Generate a key by running a command similar to the following:
    • openssl genrsa -out /home/protected/ssl/ 2048
  2. Generate a certificate signing request (CSR) from your key, by running a command similar to the following:
    • openssl req -new -sha256 -key -out
  3. Using your CSR, obtain a certificate for your site from the certificate authority of your choice.