Installing a Commercial SSL Server Certificate (nginx)

Since CACert still isn't "Browser Trusted", and I still don't want to use letsencrypt, I decided to give this a try. The company resides inside the European Union and is the cheapest I could find.

This was the process to get the certificate for anyone who's interested:

  1. Buy a certificate (the cheapest, called SSL DV, is enough for my website). Pay first. Get an online account.
  2. Once they see the money they let you procede to the activation process.
  3. On your server, create a certificate signing request thusly:
    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
    I left most fields blank, except the 2-letter country code and the "Common Name" which I set to the server FQDN:
  4. Log into their online account and locate the "Activate Certificates" page, click on "Activate", select CSR as delivery method.
  5. Paste the content of server.csr into the CSR window.
  6. Make sure the DNS Domain entry of the certificate points to your website!
  7. Verify - I chose the method "File upload verification".
  8. I received an e-mail with another link. Place a file on your server as instructed, click the link. It should work => green checkmark.
  9. Delete the files/folders used for verification.
  10. Go to "Manage certificates" and locate your now valid certificate. Download the certificate and intermediate certificates all the way down to the root certificate (the one your browser actually "trusts"). As plain text. They will have to get concatenated in the exact order they appear on the website:
    cat actual_certificate.pem domain_validation.pem trusted_network.pem root.pem > cert.chained.pem (*)
  11. Tell nginx to use your server.key (step 3.) and your cert.chained.pem (above), as explained here.
  12. Restart nginx.

That's it really.
I tested the result with this command:
openssl s_client -connect
But one can see it best in the Browser (click on the green lock).

(*) The certificate chain is explained nicely here.