Get Your Certificate Signing Request (CSR)
From Amazon Linux:
openssl req -new -key vim <domain>.<tld>.key -out <domain>.<tld>.csr
Buy Your Certificate
From Name.com purchase a cert for either a wildcard or single-host fully-qualified domain name. It must match the domain identifier . used when creating your CSR.
You’ll need the contents of the .csr file and private key you created above.
Install Your Certificate
It may take 2-5 business days to get your domain ownership validated and receive your certificate if this is not a renewal. Check back at Name.com to obtain your certificate. When ready it will bring you to a page showing 3 parts needed to validate the certificate, the Server Certificate, the CA Certificate, and the Root Certificate.
All 3 of these must appear in the crt file you are about to create. The crt file is known as a “chained certificate” which includes the content of all 3 certificates concatenated in a single file. The certificates each certify the level above it so you server certificate goes on top, validated by the Certificate Authority (CA) certificate, which is validated by a root certificate.
From Amazon Linux
Past in the contents of the certificates provided by name.com in the order provided.
You will end up with a file that has 3 begin/end certificate sections.
You can, and should, delete your .csr file at this point.
If you haven’t done so already you’ll need to edit your website configuration at /etc/nginx/sites-available/<domain>.<tld> and create a SSL certificate snippet that tells the web server where to find your SSL certificate for that site.
The snippet in /etc/nginx/snippets/<domain>.<tld>.conf will look something like this:
Your site config file for nginx will be similar to this:
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name <domain>.<tld> *.<domain>.<tld>;
index index.php index.html index.htm;
Restart your nginx server.
service nginx restart ; service php7.0-fpm restart