Generating a certificate signing request

For my own uses I went with Comodo's Positive SSL domain validation certificates, and this is a quick reference to get you going if that meets your needs, and prepping for perfect forward secrecy. Take a look at the documentation with your chosen certificate provider prior to generating the request, as in this case entering in also covers but not vice versa.

openssl req -new -nodes -keyout secret.key -out request.csr -newkey rsa:4096
openssl dhparam -inform pem -in secret.key -outform pem -out whit.dhparam 1024

Now at the time of these posts the number of bits is quite a bit higher than is common, so I'll leave those as an exercise for the reader.

Now you could take that CSR and spend full price on a certificate, but I've found Web Security Solutions' Cheap SSL Security to have very reasonable prices, and that I use for my own sites. Other options include and of course namecheap. The one issuer I would not recommend is StartCom's StartSSL mostly as they make their money by charging for reissuance, which was a big headache when the heartbleed bug broke.

When you get to the point of verifying domain ownership I prefer to go the file verification route. In my case I use Nginx on Fedora, so a quick cd /usr/share/nginx/html/ on a default install and echo "HASHSTRING" > FILENAMEHASH.txt should get you started. If you want to be fancy you can add

location /FILENAMEHASH.txt {
    return 200 "HASHSTRING";

to your nginx config under the proper server section and skip writing out the file itself.

Once the approval comes back from Comodo, you will recieve an e-mail with a zip containing your certificates, and a list in a similar order:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - example_com.crt

To create the chain needed to setup nginx, simply follow this list in reverse and concatenate everything but the Root CA (that should be in the end user's trusted certificate store if it is still valid) with the following command.

cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example_com.chain.crt

Regardless of what certificate provider you go with, be sure to test your setup with something like Qualys SSL Lab's Server Test which gives an excellent breakdown of your current configuration.


A *nix enthusiast and accidental programmer interested in sharing whatever tidbits I learn, more or less for my own reference.

The Evergreen State