Let's https: certbot + let's encrypt
Getting trusted Let's encrypt-certificates for your domain has never been easier. Even easier than actually creating custom certificates for yourself. At least if you don't have a clue about certificates and such.
The setup for this blog for example: We have an apache2-server as gateway for our domains which (if needed) proxies the requests/responses to the actual server (like the local ghost install).
To get https enabled for your website 'certbot' will help you a lot.
There are actually a couple of ways how to achieve the retieval of the certificates. In the end most important for let's encrypt to give out a certificate for your domain is that you prove that you are the owner of the domain.
One possible way is certbot's webroot. In this 'handshake'-option you need just to give certbot the filesystem-rootpath that maps to your domain's http-port 80.
certbot certonly --webroot -w /var/www/example -d www.example.com
During the handshake some random data provided by let's encrypt is written to some random dot-prefixed folder and then checked if this data is accessible. That is enough as proof and you'll get the certificates ( /etc/letsencrypt ).
Since this certificates are only valid for 90-days you need to recreate them once they are invalid or are becoming invalid shortly.
This can be done by just calling
certbot renew
This is best to be done in a cronjob