Adding a TLS certificate to your NearlyFreeSpeech site

By Christian Stigen Larsen
23 Jan 2016

I recently had to renew the TLS certificate on, which is hosted on NearlyFreeSpeech (NFSN). But I had forgotten how to. So I decided to post a condensed version of the steps found here on my own site.

First I made a secret key on the NearlyFreeSpeech login server (aliases as nfsn here):

ssh nfsn
mkdir /home/protected/ssl
cd /home/protected/ssl
openssl genrsa -out 4096

Using this, I made a certificate signing request (CSR). I left most fields blank, except FQDN, which had to be

openssl req -new -sha256 -key -out

After buying the Comodo PositiveSSL certificate on NameCheap, pasting the CSR into their SSL wizard and completing the DCV verification (any method is fine), I got a ZIP-file containing the already bundled-up TLS certificate chain along with the certificate itself.

Next I copied the files over and verified them:

openssl verify -untrusted OK

Note that this process failed locally, probably because I had an older version of OpenSSL.

The final step was to file a support request with NFSN to install the certificate, which they promptly did. Just be sure that the /home/protected/ssl directory contains the all the necessary files:

By the way, if you're thinking about doing this you may want to consider trying, which give you free TLS certificates. I don't know much about them, or how many browsers support their CA, and so on, but it's worth a shot.