Using already issued CSR


Hi! I’m getting ready to LE release in november, so started to play arround with the client.

The FAQ states:

Can I use an existing private key or Certificate Signing Request (CSR) with the Let’s Encrypt client?
Yes, you can obtain a certificate for an existing private key (if the
key is an appropriate type and size), and, if you want, you can use an
existing CSR.

How should I tell LE client to use my old good CSR from my server?


Is it possible to use an already created key pair?

Hi @razor7! Currently, to use a preexisting CSR, the CSR has to be in DER format and have subject alternative names for every domain you wish to receive a cert for. If you have this, include the --csr option on the command line with the path to the CSR you’d like to use and run the auth command like so:

letsencrypt --csr /path/to/csr auth

You can include any other additional flags that you wish, such as --cert-path which specifies where to save the resulting certificate (if it’s not included, it’s saved in your working directory).

The auth command obtains a certificate from the ACME server but does not install it to your webserver. You can install it afterwards using the install command.

Hope this helps!



There’s no “letsencrypt” command in the letsencrypt repo as of 2015-12-04. Running “letsencrypt-auto --csr ~/mydomain.csr auth” gives this error:

Error: [(‘asn1 encoding routines’, ‘ASN1_CHECK_TLEN’, ‘wrong tag’), (‘asn1 encoding routines’, ‘ASN1_ITEM_EX_D2I’, ‘nested asn1 error’)]

Detailed error from the logs is here:

(FYI: My CSR is the one given by to me as my website is based on WordPress, hosted on WPEngine)


I have the same issue - this is completely broken.

[(‘asn1 encoding routines’, ‘ASN1_CHECK_TLEN’, ‘wrong tag’), (‘asn1 │
│ encoding routines’, ‘ASN1_ITEM_EX_D2I’, ‘nested asn1 error’)] │
│ Traceback (most recent call last): │
│ File │
│ “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/le │
│ tsencrypt/”, line 225, in _get_sans_from_cert_or_req │
│ cert_or_req = load_func(typ, cert_or_req_str) │
│ File │
│ “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/Op │
│ enSSL/”, line 2380, in load_certificate_request │
│ _raise_current_error() │
│ File │
│ “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/Op │
│ enSSL/”, line 48, in exception_from_error_queue │
│ raise exception_type(errors) │
│ Error: [(‘asn1 encoding routines’, ‘ASN1_CHECK_TLEN’, ‘wrong tag’), │
│ (‘asn1 encoding routines’, ‘ASN1_ITEM_EX_D2I’, ‘nested asn1 error’)]


@skunkwerk and @nilesh, perhaps you have a CSR in DER format instead of PEM format?

If you run openssl req -in ~/mydomain.csr -text -noout, do you see data from the CSR? If not, do you see data by running openssl req -inform der -in ~/mydomain.csr -text -noout?

In this case, you need to convert the CSR to PEM format via

openssl req -inform der -outform pem -in ~/mydomain.csr -out ~/mydomain.pem

or something similar. The Let’s Encrypt client is expecting the CSR to be in PEM format, not DER format.


Actually, it’s the other way around :wink:


@Osiris, sure enough, I misremembered that. Perhaps the PEM/DER issue is still the problem here, though!


worked for me the other way around, thanks