Create SSL Certificate


These instructions related to manually obtained SSL certificates. To use lets encrypt certificates see Obtain and configure ssl certificate on nginx with letsencrypt

To install an SSL certificate, see Install SSL Certificate


To validate the domain name, you will need to receive an email. If you are not using Google Mail, then set-up MailGun by following the instructions in Mailgun

We use two companies for SSL certificates, and StartSSL. The certificates from StartSSL are free, but the web site is complicated to use.

Create a domain folder within the ssl-cert folder e.g. Site - Configuration. Run the following commands in that folder.


When using the Common Name must include the www i.e. rather than

Generate your certificate request and private key:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Generating a 2048 bit RSA private key
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Devon
Locality Name (eg, city) []:Okehampton
Organization Name (eg, company) [Internet Widgits Pty Ltd]
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


Country code for the UK is GB


Do not enter the email address, challenge password or optional company name). Just press Enter to ignore.

This process will generate two files, server.csr (the certificate request) and server.key (the private key).

Use the certificate request (server.csr) file to request a certificate from

Confirm Domain ownership by receiving an email - choose

When the certificate is approved, you will be sent an email containing a couple of certificates.

Copy the Web Server CERTIFICATE into a file called ssl.crt. The certificate is the text starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

Copy the INTERMEDIATE CA into a file called intermediate.crt. The certificate is the text starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

Concatenate the two certificates to create a unified certificate:

cat ssl.crt intermediate.crt > ssl-unified.crt



Instructions for are similar. See the section above for instructions on generating a certificate request.

Using, enter the Validations Wizard and choose Domain Validation, enter the Domain Name, select a Verification Email and then enter the verification code sent to the selected email address.

Enter the Certificates Wizard, select Web Server SSL/TLS Certificate, then click Continue.

Add both the and into the top box:


Paste the contents of server.csr into the bottom box. The request is the whole file starting with -----BEGIN CERTIFICATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----.

Click Submit, then Certificate List, then click Retrieve for the appropriate common name (

Extract from the downloaded file into the ssl-cert folder.

Extract 1_example.net_bundle.crt from the and rename it ssl-unified.crt


To copy the certificate to the server, refer to the Install SSL Certificate notes…


To make sure your certificate matches the private key:

openssl x509 -noout -modulus -in ssl.crt
openssl req -noout -modulus -in server.csr
openssl rsa -noout -modulus -in server.key


The nginx log showed:

Starting nginx:
nginx: [emerg] SSL_CTX_use_certificate_chain_file("/srv/ssl/")
failed (SSL: error:0906D066:PEM
routines:PEM_read_bio:bad end line error:140DC009:SSL
routines:SSL_CTX_use_certificate_chain_file:PEM lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

This was an issue with the line breaks in the concatenated files.

They looked thus:


and it should have looked like this:


To acheieve this we added a blank line to the ssl.crt file, re-concatenated, used fab ssl to place the new file on the server and then re-started nginx with service nginx restart on the server as root.

For further help solving this issue, see Fixing PEM routines:PEM_read_bio:bad end line error.