When you order an SSL certificate from Comodo or InstantSSL, you will receive an email with your certificate. Here’s how to configure nginx to use that certificate for SSL and TLS.

Attached to this email you should find a .zip file containing:

Root CA certificate:
Intermediate CA certificate
Intermediate CA certificate
Intermediate CA certificate
Your SSL certificate

In order to use those with nginx, you need to concatenate all these files in the correct order, as follows:

cat example_net.crt \
EssentialSSLCA_2.crt \
ComodoUTNSGCCA.crt \
UTNAddTrustSGCCA.crt \
AddTrustExternalCARoot.crt > example_net-bundle.crt

The directives to be used in the server section of the nginx.conf file are along these lines:

listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/cert/example_net-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/key/example_net.key;

If the order of the certificates is incorrect, things might seem to work just fine in recent versions of Safari, Chrome and Firefox.

However, less sophisticated SSL implementations such as the one on Android up to and including 4.2.2 will abort with errors like the following:

org.springframework.web.client.ResourceAccessException: I/O error:
org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not
validate certificate signature.; nested exception is
org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not
validate certificate signature.