linode · EdwardAngert · Feb 7, 2018 · Jan 23, 2018 · Jan 23, 2018 · Jan 23, 2018
diff --git a/docs/security/ssl/create-a-self-signed-tls-certificate.md b/docs/security/ssl/create-a-self-signed-tls-certificate.md
@@ -2,11 +2,11 @@
 author:
   name: Linode
   email: docs@linode.com
-description: 'This guide will show you a brief command to create a self-signed TLS certificate with OpenSSL.'
+description: 'This guide shows how to create a self-signed TLS certificate with OpenSSL.'
 keywords: ["ssl", "tls", "https", "certificate", "self"]
 license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
 aliases: ['security/ssl/create-a-self-signed-certificate-on-centos-and-fedora/','security/ssl/create-a-self-signed-certificate-on-debian-and-ubuntu/','security/ssl/how-to-make-a-selfsigned-ssl-certificate/']
-modified: 2018-01-09
+modified: 2018-01-23
 modified_by:
   name: Linode
 published: 2018-01-09
@@ -15,10 +15,13 @@ title: 'Create a Self-Signed TLS Certificate'
 
 ![Create a Self-Signed Certificate title graphic](/docs/assets/create-a-self-signed-tls-certificate-title-graphic.jpg "Create a Self-Signed Certificate title graphic")
 
-Self-signed TLS certificates are suitable for personal use or applications used internally within an organization. If you intend to use your SSL certificate on a website served by Apache or NGINX, see our guides for doing that (Apache, [NGINX](/docs/web-servers/nginx/enable-tls-on-nginx-for-https-connections/x)) once you’ve completed the process outlined here.
+## What is a Self-Signed TLS Certificate?
 
+Self-signed TLS certificates are suitable for personal use or for applications that are used internally within an organization. If you intend to use your SSL certificate on a website, see our guide on enabling TLS for [NGINX](/docs/web-servers/nginx/enable-tls-on-nginx-for-https-connections/) once you’ve completed the process outlined in this guide.
 
-1.  Change users to the `root` user and change directories to where you want to create the certificate and key pair. That location will vary depending on your end use. Here we'll use `/root/certs`.
+## Create the Certificate
+
+1.  Change to the `root` user and change to the directory in which you want to create the certificate and key pair. That location will vary depending on your needs. Here we'll use `/root/certs`:
 
         su - root
         mkdir /root/certs && cd /root/certs
@@ -27,7 +30,19 @@ Self-signed TLS certificates are suitable for personal use or applications used
 
         openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out MyCertificate.crt -keyout MyKey.key
 
-    After entering the command, you will be prompted to add identifying information for your website or organization to the certificate. Since a self-signed cert won't be used publicly, this information isn't necessary. However, if this certificate were being created to be passed on to a certificate authority for signing, the information would need to be as accurate as possible.
+    You will be prompted to add identifying information about your website or organization to the certificate. Since a self-signed certificate won't be used publicly, this information isn't necessary. If this certificate will be passed on to a certificate authority for signing, the information needs to be as accurate as possible.
+
+    The following is a breakdown of the OpenSSL options used in this command. There are many other options available, but these will create a basic certificate which will be good for a year. For more information, see `man openssl` in your terminal.
+
+    * `-newkey rsa:4096`: Create a 4096 bit RSA key for use with the certificate. `RSA 2048` is the default on more recent versions of OpenSSL but to be sure of the key size, you should specify it during creation.
+
+    * `-x509`: Create a self-signed certificate.
+
+    * `-sha256`: Generate the certificate request using 265-bit SHA (Secure Hash Algorithm).
+
+    * `-days`: Determines the length of time in days that the certificate is being issued for. For a self-signed certificate, this value can be increased as necessary.
+
+    * `-nodes`: Create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the passphrase in the console each time the application using it is restarted.
 
     Here is an example of the output:
 
@@ -54,18 +69,6 @@ Common Name (e.g. server FQDN or YOUR name) []:hostname.example.com
 Email Address []:admin@example.com
 {{< /output >}}
 
-    Here's a breakdown of the OpenSSL options used in that command. There are many others available, but these will create you something basic which will be good for a year. For more info, see `man openssl` in your terminal.
-
-    * `-newkey rsa:4096` tells OpenSSL to create a 4096 bit RSA key for use with the certificate. RSA 2048 is the default on more recent versions of OpenSSL but to be sure of the key size, you should specify it during creation.
-
-    * `-x509` tells OpenSSL to create a self-signed certificate.
-
-    * `-sha256` generate the certificate request using 265-bit SHA (Secure Hash Algorithm).
-
-    * `-days` determines the length of time in days that the certificate is being issued for. For a self-signed certificate, this value can be increased as necessary.
-
-    * `-nodes` instructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the passphrase in the console each time the application using it is restarted.
-
 3.  Restrict the key's permissions so that only `root` can access it:
 
         chmod 400 /root/certs/MyKey.key

diff --git a/docs/security/ssl/obtain-a-commercially-signed-tls-certificate.md b/docs/security/ssl/obtain-a-commercially-signed-tls-certificate.md
@@ -2,30 +2,34 @@
 author:
   name: Linode
   email: docs@linode.com
-description: 'This guide will show you a brief command to create a self-signed TLS certificate with OpenSSL.'
+description: 'This guide shows how to create a commercially-signed TLS certificate with OpenSSL.'
 keywords: ["ssl", "tls", "https", "certificate", "commercial"]
 license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
 aliases: ['security/ssl/create-a-self-signed-certificate-on-centos-and-fedora/','security/ssl/create-a-self-signed-certificate-on-debian-and-ubuntu/','security/ssl/obtain-a-commercially-signed-ssl-certificate-on-centos-and-fedora/','security/ssl/obtain-a-commercially-signed-ssl-certificate-on-debian-and-ubuntu/','security/ssl/obtaining-a-commercially-signed-ssl-certificate/']
-modified: 2017-12-20
+modified: 2018-01-23
 modified_by:
   name: Linode
 published: 2017-12-20
 title: 'Obtain a Commercially Signed TLS Certificate'
 ---
 
+## What is a Commercially Signed TLS Certificate?
+
 If you intend to host a publicly accessible website which will use HTTPS, then you will want to install a commercially signed TLS certificate so people visiting your site don't get warnings in their browser about an unsafe connection.
 
-There are currently two primary ways to do this: The easiest method is to sign your certificate using [Let's Encrypt](https://letsencrypt.org/). The [CertBot](https://certbot.eff.org/) tool makes obtaining and renewing certificates through Let's Encrypt extremely simple. However, this isn't a viable option for everyone.
+The easiest method is to sign your certificate using [Let's Encrypt](https://letsencrypt.org/). The [CertBot](https://certbot.eff.org/) tool makes obtaining and renewing certificates through Let's Encrypt extremely simple. However, this isn't a viable option for everyone.
+
+If you need [Domain Validation](https://en.wikipedia.org/wiki/Domain-validated_certificate) or [Extended Validation certificates](https://en.wikipedia.org/wiki/Extended_Validation_Certificate), you must create a Certificate Signing Request (CSR) for submission to a Certificate Authority (CA) such as Thawte or Verisign. This is the method for obtaining a signed TLS certificate that this guide focuses on.
 
-If you need [Domain Validation](https://en.wikipedia.org/wiki/Domain-validated_certificate) or [Extended Validation certificates](https://en.wikipedia.org/wiki/Extended_Validation_Certificate), you must create a certificate signing request for submission to a certificate authority such as Thawte or Verisign. This is the second method for obtaining a signed TLS certificate, and the one which this guide focuses on. Some CAs allow you to create a CSR directly through their web interface after you register an account with them. That's certainly a usability advantage over manually creating the CSR on your server or local computer as this guide instructs.
+Some CAs allow you to create a CSR directly through their web interface after you register an account with them. That's certainly a usability advantage over manually creating the CSR on your server or local computer as this guide instructs.
 
-Research certificate authorities thoroughly before deciding on a company which will be used for things such as protecting customers' personal information via HTTPS, cryptographically signing emails, or granting access to internal platforms.
+Research certificate authorities thoroughly before deciding on the company which will be used for things such as protecting customers' personal information via HTTPS, cryptographically signing emails, or granting access to internal platforms.
 
-If you intend to use your SSL certificate on a website served by Apache or NGINX, see our guides for doing that (Apache, [NGINX](/docs/web-servers/nginx/enable-tls-on-nginx-for-https-connections)) once you’ve completed the process outlined here.
+If you intend to use your SSL certificate on a website, see our guide on [Enabling TLS for HTTPS on NGINX](/docs/web-servers/nginx/enable-tls-on-nginx-for-https-connections) once you’ve completed the process in this guide.
 
 ## Create a Certificate Signing Request (CSR)
 
-1.  Change users to the `root` user and move to a directory where you want to create the certificate information:
+1.  Change to the `root` user and move to the directory in which you want to create the certificate information:
 
         su - root
         mkdir /root/certs/ && cd /root/certs/
@@ -34,9 +38,19 @@ If you intend to use your SSL certificate on a website served by Apache or NGINX
 
         openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.csr
 
-    After entering the command, you will be prompted to add identifying information for your website or organization to the certificate. Since this certificate is being created to be passed on to a certificate authority for signing, the information needs to be accurate.
+    You will be prompted to add identifying information for your website or organization to the certificate. Since this certificate is being created to be passed on to a certificate authority for signing, the information needs to be accurate.
+
+    The following is a breakdown of the OpenSSL options used in this command. There are many other options available, but these will create a basic certificate which will be good for a year. For more information, see `man openssl` in your terminal.
+
+    * `-newkey rsa:4096`: Creates a 4096 bit RSA key for use with the certificate. `RSA 2048` is the default on more recent versions of OpenSSL but to be sure of the key size, you should specify it during creation.
+
+    * `-sha256`: Generates the certificate request using 265-bit SHA (Secure Hash Algorithm).
+
+    * `-days`: Determines the length of time in days that the certificate is being issued for. For a commercial certificate, this value should be no higher than `730` (2 years).
 
-    Here is an example of the output. You may safely leave the `extra attributes` blank, just press *Enter* to bypass each one.
+    * `-nodes`: Creates a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the passphrase in the console each time the application using it is restarted.
+
+    Here is an example of the output. You may safely leave the `extra attributes` blank, just press **Enter** to bypass each one:
 
     {{< output >}}
 root@localhost:~# openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.csr
@@ -66,78 +80,42 @@ A challenge password []:
 An optional company name []:
 {{< /output >}}
 
-    Here's a breakdown of the OpenSSL options used in that command. There are many others available, but these will create you something basic which will be good for a year. For more info, see `man openssl` in your terminal.
-
-    * `-newkey rsa:4096` tells OpenSSL to create a 4096 bit RSA key for use with the certificate. RSA 2048 is the default on more recent versions of OpenSSL but to be sure of the key size, you should specify it during creation.
-
-    * `-sha256` generate the certificate request using 265-bit SHA (Secure Hash Algorithm).
-
-    * `-days` determines the length of time in days that the certificate is being issued for. For a commercial certificate, this value should be no higher than 730 (2 years).
-
-    * `-nodes` instructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the passphrase in the console each time the application using it is restarted.
-
-
-## Regarding Your Certificate Authority's Root Certificate
+## Your Certificate Authority's Root Certificate
 
 Most modern Linux distributions come with common root CA certificates installed as part of the `ca-certificates` package, located under `/etc/ssl/certs/ca-certificates.crt`.
 
-Alternatively, or if your `ca-certificates` bundle does not already include your CA's root cert, you could download the certificate directly from the certificate authority's website. Once you have the certificate, you'll then need to add it manually by moving the file to the source directory and updating the bundle.
+Alternatively, or if your `ca-certificates` bundle does not already include your CA's root cert, download the certificate directly from the certificate authority's website. Once you have the certificate, add it manually by moving the file to the source directory and updating the bundle.
 
-CentOS
+**CentOS**
 
     cp rootCert-example.crt /etc/pki/ca-trust/source/anchors/
     update-ca-trust
 
-Debian or Ubuntu
+**Debian or Ubuntu**
 
     cp rootCert-example.crt /usr/local/share/ca-certificates/
     update-ca-certificates
 
-
 ## Submit Your CSR to Your Certificate Authority
 
-This is when you must submit the certificate signing request to the CA for it to sign. How you do this will differ among certificate authorities and some CAs have videos or written instructions to guide you through the process, but the process usually involves the following steps:
+Submit the certificate signing request to the CA. The exact steps differ among certificate authorities, and some CAs have videos or written instructions to guide you through the process. It usually involves the following steps:
 
 1.  Log in to your account with the CA.
 
 2.  Upload your CSR through the web management console.
 
 3.  After a few days, the signed certificate will be available for you to download and install into your server.
 
-
 ## Prepare a Chained SSL Certificate
 
-Many CAs will issue certificates from an intermediate authority, which must be combined with the root certificate. If you receive several files from your CA ending with `.crt` (collectively referred to as a "chained SSL certificate"), they must be linked into one file, in a specific order, to ensure full compatibility with most browsers. The example below uses a chained SSL certificate that was signed by Comodo.
+Many CAs will issue certificates from an intermediate authority, that certificate must be combined with the root certificate.
+
+If you receive several files from your CA ending with `.crt` (collectively referred to as a *chained SSL certificate*), they must be linked into one file, in a specific order, to ensure full compatibility with most browsers. The example below uses a chained SSL certificate that was signed by Comodo.
 
 To combine the individual certificates:
 
     cat example.com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > www.mydomain.com.crt
 
-The contents of the resulting file will appear similar to the following:
-
-    -----BEGIN CERTIFICATE-----
-    MIIFSzCCBDOgAwIBAgIQVjCXC0bF9U8FypJOnL9cuDANBgkqhkiG9w0BAQsFADCB
-    ................................................................
-    ncHG3hwHHwhiEz6ukC2mqxA+D3KILiywgHgWcumnpeCEUQgDzy0Fz2Ip/kR/1Fkv
-    DCQzME2NkT1ZdW8fdz+Y
-    -----END CERTIFICATE-----
-    -----BEGIN CERTIFICATE-----
-    MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
-    ................................................................
-    j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
-    -----END CERTIFICATE-----
-    -----BEGIN CERTIFICATE-----
-    ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
-    ................................................................
-    Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
-    -----END CERTIFICATE-----
-    -----BEGIN CERTIFICATE-----
-    MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
-    ................................................................
-    6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
-    -----END CERTIFICATE-----
-
-
 Use this table to better visualize the command entered to prepare the chained certificate:
 
 | **Certificate Type:**      | **Issued to:**                          | **Issued by:**                             |
@@ -146,3 +124,29 @@ Use this table to better visualize the command entered to prepare the chained ce
 | Intermediate Certificate 1 | Comodo LLC                              | COMODORSA DomainValidation SecureServerCA  |
 | Intermediate Certificate 2 | COMODORSA DomainValidation SecureServerCA | COMODORSA AddTrustCA                     |
 | Root certificate           | COMODORSA AddTrustCA                     | AddTrust ExternalCARoot                   |
+
+The contents of the resulting file will appear similar to the following:
+
+{{< file "example.com.crt" >}}
+-----BEGIN CERTIFICATE-----
+MIIFSzCCBDOgAwIBAgIQVjCXC0bF9U8FypJOnL9cuDANBgkqhkiG9w0BAQsFADCB
+................................................................
+ncHG3hwHHwhiEz6ukC2mqxA+D3KILiywgHgWcumnpeCEUQgDzy0Fz2Ip/kR/1Fkv
+DCQzME2NkT1ZdW8fdz+Y
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
+................................................................
+j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
+................................................................
+Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
+................................................................
+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
+-----END CERTIFICATE-----
+{{< /file >}}