Step 1. Buy the SSL from the provider,

In current docs I explain about godaddy, follow

Step 2. Generate CSR

How you generate a .csr depends on the type of certificate you’re requesting and your operating system.

• SSH into your server
• Generate crt using openssl with following command

  openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr
  

• Here is the godaddy docs

Step 3. Generate .crt file from the SSL Provider

Above step will generate the csr file copy that into the ssl provider and get the .crt file which can be used for the SSL management of the website.

Here is how we can generate .crt file

• Next go to the SSL management section of your GoDaddy account and click “Manage” next to the certificate you want to use. Click on the “Re-Key” and cut and paste the results of the CSR above into the re-key request. Finish the process completely.

• Steps for godaddy SSL certificate configuration here

• After generating the .crt file, you will download a zipfile contrains the

Step 4. Concatenate the intermediate and bundle .crt files to generate

A common practice, then, is to bundle these all up into one file – your certificate, then the signing certificates. But since they aren’t easily distinguished, it sometimes happens that someone accidentally puts them in the other order – signing certs, then the final cert – without noticing. In that case, your cert will not match your key.

cat certificate.crt ca_bundle.crt > bundle_chained.crt

Here is the related issues with X509_check_private_key:key values mismatch, stackoverflow answer

Here is the example for nginx ssl certificate conf

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     bundle_chained.crt;
    ssl_certificate_key example.key;
    ...
}