Certbot using csr and private key Apache and Postfix/Dovecot


Hi friends,
On a VPS (debian Jessie) where I would set up Postfix, Dovecot and Apache2,
in order to fully automate the certificate creation process, I would like to pass to certbot myself generated 4096 bit csr and private key,
Is it a practice recommended or overcomed by certbot, and/or this stops the automatism?

Many Thanks



certbot doesn’t need the private key. And you can use the --csr option to feed it your CSR (which is signed with your private key, hence certbot/Boulder doesn’t need the latter).

There are some quirks with using --csr, such as it just puts the certificate and chain in the current folder certbot is running from (with names like cert_0000.pem): it doesn’t actually make a nice structure such as symlinks in /etc/letsencrypt/live/example.com/cert.pem pointing to the most current cert in /etc/letsencrypt/archive/example.com.

So while it’s certainly possible, automation will be more difficult.


Hi @danjde. Can you elaborate a little bit on what aspects of the certificate you are trying to customize for automation by creating the private key & CSR yourself?

Supporting automation is definitely one of the goals of the Certbot project :slight_smile: Depending on what you are customizing it might be easier to let Certbot do the heavy lifting with some command-line guidance (e.g. --rsa-key-size 4096). This might help you avoid needing to create your own CSR and encountering some of the quirks that @Osiris mentioned.


Yes, you’re absolutely right! :slight_smile:

I was planning to use the certificate for these reasons:

  1. I would like to obtain a certbot/let’s encrypt 4096 bit certificate (and we have seen that this is possible)
  2. This certificate should contain most of the CSR information, specifically the “Common Name” (that must contain the fully-qualified host name) for Postfix and Dovecot use.
  3. This certificate should contain the smtp, pop, imap address and I think this is possible passing the “-d” option.
  4. I would like the generation of this certificate does not always produce new certitifcate names. I had previously used letsencrypt.sh and it always generated new certificate names but simultaneously created a link to the last certificate which kept its name unchanged.
    And this seem a little problem as @Osiris says:

Many many thanks to all! :wink:


I’m actually not quite sure if there’s any reason to use an explicit seperate CSR for the four reasons you’re giving :slight_smile: certbot would be able to do everything you need by itself.


Well Osiris!
But then when I should use “–csr” option?
And secondly to include the FQDN just use the “-d” option?

Thanks again for your dear help!


About “–csr” option I found this very clear explanation :wink:



The --csr option is useful when the TLS service that the certificate is intended for has DANE TLSA records. This is most common with SMTP for now. See:



Among DANE TLSA SMTP servers there are at least ~800 distinct LE-issued certificates (my survey cannot achieve 100% coverage). These are MX hosts for at least ~2400 Email domains.

These ~800 certificates are of course a very small fraction of the overall LE certificate count, but do constitute a significant fraction of the ~2200 total DANE TLSA MX host certificates (which today serve around 59000 domains).

DANE deployment is as yet quite small, but growing.


…it opens up a world! :slight_smile:
Very very interesting!
Now I have finally clarified what is the “–csr” option!
And for the moment seems not my case!

I’m definitely a beginner with SSL and Let’Encrypt but I have to understand and you have helped me a lot!
I still have questions about certbot, but I will open a dedicated post.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.