How to control/specify manually generated chained certs' names/numbering?

Issuance Tech
1

If I generate EC certs, followed by RSA certs, for a given domain, the files populated are

    -rw-r--r-- 1 root root  474 Aug 10 10:24 example.com.ec.csr.der
    -rw-r--r-- 1 root root 1521 Aug 10 10:24 example.com.ec.crt.pem
    -rw-r--r-- 1 root root 3200 Aug 10 10:24 0001_chain.pem
    -rw-r--r-- 1 root root 1679 Aug 10 10:24 0000_chain.pem
    -rw-r--r-- 1 root root 1319 Aug 10 10:24 example.com.rsa.csr.der
    -rw-r--r-- 1 root root 2102 Aug 10 10:24 example.com.rsa.crt.pem
    -rw-r--r-- 1 root root 3781 Aug 10 10:24 0003_chain.pem
    -rw-r--r-- 1 root root 1679 Aug 10 10:24 0002_chain.pem
    drwxr-xr-x 2 root root 4096 Aug 10 10:24 .

If I flip the order, RSA then EC,

    -rw-r--r-- 1 root root 1319 Aug 10 10:26 example.com.rsa.csr.der
    -rw-r--r-- 1 root root 2102 Aug 10 10:26 example.com.rsa.crt.pem
    -rw-r--r-- 1 root root 3781 Aug 10 10:26 0001_chain.pem
    -rw-r--r-- 1 root root 1679 Aug 10 10:26 0000_chain.pem
    -rw-r--r-- 1 root root  475 Aug 10 10:26 example.com.ec.csr.der
    -rw-r--r-- 1 root root 1521 Aug 10 10:26 example.com.ec.crt.pem
    -rw-r--r-- 1 root root 3200 Aug 10 10:26 0003_chain.pem
    -rw-r--r-- 1 root root 1679 Aug 10 10:26 0002_chain.pem

There’s no clear differentiation of the

*_chain.pem

for either

  • it's EC or RSA

  • it's "fullchain.pem" or just "chain.pem"

Is their any end-user control of returned chained cert names?

I’d like to make them more descriptive so I don’t have to probe/extract to determine.

2

You may want --cert-path.

3

–cert-path affects the name of the .cert

NOT the chain/fullchain .pems

4

Then you probably want --chain-path or --fullchain-path.

5

Then you probably want --chain-path or --fullchain-path.

That sounds like it could work. Where's the doc on those? atm, there's only:

certbot-auto --help certonly
    ...
    certonly:
      Options for modifying how a cert is obtained

      --csr CSR             Path to a Certificate Signing Request (CSR) in DER
                            format; note that the .csr file *must* contain a
                            Subject Alternative Name field for each domain you
                            want certified. Currently --csr only works with the
                            'certonly' subcommand' (default: None)
      --cert-path CERT_PATH
                            Path to where cert is saved (with auth --csr),
                            installed from or revoked. (default: ./cert.pem)

Hence my OP.

6

Try certbot-auto --help all

7

Ugh. Thanks.

p.s. There’s an argument that doc for

  • cert-path
  • chain-path
  • fullchain-path

all being referenced in the same place

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.