I just wanted to know the exact mechanism of generating a certificarte with the command certbot certonl ? Is it as follows?
Private Key is automatically generated in "pem" format by the certbot acme client and it is never shared with Let's Encrypt to be placed as this file at this directory
/etc/letsencrypt/live/mydomainname/privkey.pem
CSR is also generated automatically by the Certbot acme client and sent to Let's Encrypt
Let's Encrypt signs the CSR and sends back the certificate to be placed as this file at this director?
/etc/letsencrypt/live/mydomainname/fullchain.pem
For the ultra-paranoid:
You can generate your own CSR [offline/elsewhere] and have certbot use that one.
[that way it has absolutely no knowledge of the private key - ever]
Very true, but also a very big pain in the butt if you use the Certbot --csr option: Certbot doesn't "remember" the certificate as it would with other certs and it just outputs the retrieved files in the current working directory. If one would want to use their own separate CSR, I'd recommend a different ACME client with better support for that. (I don't know of any at the top of my head though.)