When you order an SSL certificate from Comodo or InstantSSL, you will receive an email with your certificate. Here’s how to configure nginx to use that certificate for SSL and TLS.

Attached to this email you should find a .zip file containing:

AddTrustExternalCARoot.crt
Root CA certificate:
UTNAddTrustSGCCA.crt
Intermediate CA certificate
ComodoUTNSGCCA.crt
Intermediate CA certificate
EssentialSSLCA_2.crt
Intermediate CA certificate
example_net.crt
Your SSL certificate

In order to use those with nginx, you need to concatenate all these files in the correct order, as follows:

cat example_net.crt \
EssentialSSLCA_2.crt \
ComodoUTNSGCCA.crt \
UTNAddTrustSGCCA.crt \
AddTrustExternalCARoot.crt > example_net-bundle.crt

The directives to be used in the server section of the nginx.conf file are along these lines:

listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/cert/example_net-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/key/example_net.key;

If the order of the certificates is incorrect, things might seem to work just fine in recent versions of Safari, Chrome and Firefox.

However, less sophisticated SSL implementations such as the one on Android up to and including 4.2.2 will abort with errors like the following:

org.springframework.web.client.ResourceAccessException: I/O error:
org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not
validate certificate signature.; nested exception is
javax.net.ssl.SSLHandshakeException:
org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not
validate certificate signature.