Namecheap has long been my vendor of choice for SSL certificates. Having purchased and installed hundreds of certificates for myself and for clients, here’s a streamlined guide:

Generate a CSR and key

openssl req -nodes -newkey rsa:2048 -keyout server.key -subj "/CN=example.com" -out server.csr 

Make sure to replace “server” with the domain for which you’re purchasing the SSL certificate. This produces two files:

  • server.key: the private key. Be sure to keep this and don’t share it with anybody.
  • server.csr: This is the certificate signing request that you will need to send to Namecheap.

Hint: On OSX, run cat server.csr | pbcopy to put the CSR in your clipboard, ready to paste into the Namecheap website.

Purchase the Certificate

I strongly recommend the PositiveSSL domain-validated certificate. It’s cheap ($9 USD) and has great browser support.

Paste the CSR

After purchasing, go to your certificates. You can also get there by selecting “Manage SSL Certificates” from the “Hi username” menu in the top navigation.

  1. Click “Activate Now” next to the certificate you have purchased.
  2. Select “nginx” as the web server.
  3. Paste the CSR you generated earlier into the text box.

It should look like this:

Pasting the CSR

Verify Domain Ownership

After hitting Next, you’ll need to select an approver email address. Namecheap will send you an email to that address to verify that you indeed own the domain:

Selecting an Approver Email Address

Select an email, hit Next, fill in your contact information, and click Submit Order.

Wait for the Verification Email

Namecheap / Comodo is now sending you an email with a validation code you must use to prove that you are the owner of the domain. You should see this sceen:

Process Summary

Once you get the email, follow the link, paste the verification code, and hit next:

{<4>}Verification Code

Package the Certificate

Namecheap / Comodo will email you a zip file containing your certificate and a handful of intermediate certificates that must be concatinated together to form the final chained certificate file you will use with Nginx.

Start by extracting the server certificate:

unzip -p server.zip server.crt > server.crt

Next, append the intermediate certificates in the correct order:

unzip -p server.zip \
  COMODORSADomainValidationSecureServerCA.crt \
  COMODORSAAddTrustCA.crt \
  AddTrustExternalCARoot.crt >> server.crt

Install the Certificate

Now you should have two important files: the certificate (server.crt) and the key generated during the first step (server.key).

Copy both files to your server. I generally place them in an /etc/nginx/certs directory, as that way you can specify a relative path in your virtual host config as shown below.

Finally you’ll need to add the ssl_certificate and ssl_certificate_key directives to your Nginx virtual host. A typical setup with an HTTPS redirect will look something like this:

server {
  listen 80;
  server_name example.com;
  rewrite ^ https://$server_name$request_uri? permanent;
}

server {
  listen 443 ssl;
  root /usr/share/nginx/www;
  index index.html index.htm;
  ssl_certificate certs/server.crt;
  ssl_certificate_key certs/server.key;
}

Restart your server (service nginx restart) and your HTTPS certificate will be ready to go!