Test your current score here: https://www.ssllabs.com/ssltest/
You must have a certificate issued by a trusted certification authority.
These authorities issue certificates for free and I tested them by myself:
- Let's Encrypt I strongly encourage you to go with them, unless you need a higher-grade certificate;
Wosign- their certificates are no longer trusted by browsers.
export HOST=domain.com
openssl genrsa -out "$HOST-key.pem" 2048
openssl req -new -key "$HOST-key.pem" -out "$HOST.csr"
openssl req -text -noout -verify -in "$HOST.csr" # see what's inside the Certificate Signing Request
cat "$HOST.csr" # pass the contents of this file to your certification authority
See attached files
You may also want to submit your domain to be included in the HSTS preload list. See https://hstspreload.appspot.com