TLS is supported by default for the .nfshost.com name for all newly-created sites (e.g. example.nfshost.com), and can be enabled for older sites from the Site Information panel for that site in our member interface.
For custom aliases, such as www.example.com, you will need a key, a certificate, and (usually) a certificate chain. If you have these already, you can install them through the shell or the member interface, whichever you prefer.
If you don't already have a certificate provider, the most popular option is Let's Encrypt, a free service. The easiest way to use Let's Encrypt certificates is to type the following command in the shell:
In most cases, that will set up everything related to TLS for your site using Let's Encrypt certificates, including automatic renewal.
This script handles the most straightforward, most common cases. If your site uses custom web daemons or custom access controls, the automatic scripts may not work for you. For such cases, we provide the dehydrated ACME client; it provides hooks to install and clean up challenges that you can use to interface with whatever you're doing.
tls-setup.sh requires an interactive setup (you have to agree to the Let's Encrypt Terms & Conditions), so you must run it from a live shell session, not via the "Run Shell Command" feature of our UI.