Adding a TLS certificate to your NearlyFreeSpeech site

By Christian Stigen Larsen
23 Jan 2016

I recently had to renew the TLS certificate on csl.name, which is hosted on NearlyFreeSpeech (NFSN). But I had forgotten how to. So I decided to post a condensed version of the steps found here on my own site.

First I made a secret key on the NearlyFreeSpeech login server (aliases as nfsn here):

ssh nfsn
mkdir /home/protected/ssl
cd /home/protected/ssl
openssl genrsa -out csl.name.key 4096

Using this, I made a certificate signing request (CSR). I left most fields blank, except FQDN, which had to be csl.name:

openssl req -new -sha256 -key csl.name.key -out csl.name.csr

After buying the Comodo PositiveSSL certificate on NameCheap, pasting the CSR into their SSL wizard and completing the DCV verification (any method is fine), I got a ZIP-file containing the already bundled-up TLS certificate chain along with the certificate itself.

Next I copied the files over and verified them:

openssl verify -untrusted csl.name.chn csl.name.crt
csl.name: OK

Note that this process failed locally, probably because I had an older version of OpenSSL.

The final step was to file a support request with NFSN to install the certificate, which they promptly did. Just be sure that the /home/protected/ssl directory contains the all the necessary files:

csl.name.chn
csl.name.crt
csl.name.csr
csl.name.key

By the way, if you're thinking about doing this you may want to consider trying LetsEncrypt.org, which give you free TLS certificates. I don't know much about them, or how many browsers support their CA, and so on, but it's worth a shot.