@schoen, thank you very much for the clarification. I guessed as much because I spent a long time wondering if the --duplicate flag made any sense when using an external CSR because the cert files aren’t created in the usual letsencrypt paths.
For anyone faced with a similar situation, here’s my somewhat crude solution to upload the provided external CSR to the server and generate the certificate:
Download the external csr (provided in .pem format) to desktop
Upload to the web root of an account on the server through ftp/sftp
Login to the server and run the following command: certbot certonly --manual --csr /path/to/external_csr.pem --preferred-challenges “dns”
That was it, although I had to add dns TXT records to complete the domain verification challenges, wait for those records to be active and then continue with the process. This was very quick because we use Route53 and the default TTL for most record types is 300 seconds.
The following files were saved to root’s home directory (where I can the command from):
-rw-r–r-- 1 root root 1809 Jul 17 18:37 0000_cert.pem
-rw-r–r-- 1 root root 1647 Jul 17 18:37 0000_chain.pem
-rw-r–r-- 1 root root 3456 Jul 17 18:37 0001_chain.pem
I am not sure if it was necessary to specify the dns challenges because the domain for which this SSL was being generated for Akamai already had an LE cert on the server, so may be it was unnecessary?
Also, it can be seen that I didn’t specify the domain flag at all (-d ourdomain.com -d www.ourdomain.com) because that was already part of the external CSR, anyway.
Many thanks to @ahaw021, without whose help with the CSR command, I would have been quite lost. It would be a good idea for certbot to include the --csr command example in the documentation/manual.