For my CAcert certificate, what I did, was to generate the CSR on a Debian LXC container:
% openssl req -new -nodes -newkey rsa:2048 -keyout server.key -out server.csr -days 1000
Then, I paste the server.csr file in the CAcert Web form, and I download the server.crt file signed by CAcert. I then concatenate the private key and the signed certificate:
% cat server.key server.crt > server.pem
Then I copy server.pem to the Turris, change the lighttpd config as indicated and everything works.