Using certbot with --csr

We are using a non-standard Apache2 configuration so I decided to use certonly, and the standalone plugin.
./certbot-auto certonly --standalone --staging

I answered the questions interactively and it went well: I ended up with cert.pem and privkey.pem (actually these are symlinks) in a predictable location: /etc/letsencrypt/live/ I configured Apache to look there for the certificate and key, and all was well. Certificate renewal also worked.

I tried do the same thing but this time supplied a CSR file on the command-line so that the certificate has our company name and location on it:
./certbot-auto certonly --csr certrequest.der --standalone --staging

However, when I specify --csr the certificate and chain files go into the current directory. And I don’t see a key-file anywhere.

So, where is the private key when I use --csr? And is there a way to supply --csr but keep the old behavior where everything goes into /etc/lletsencrypt/live with predictable symlinks?

That won't work. Let's Encrypt issues Domain Validation (DV) certificates, meaning only the domain ownership is verified. Other fields will be discarded before Let's Encrypt signs the certificate because Let's Encrypt has no way of knowing if that data is accurate. What you're asking for would be a Organization Validation (OV) or Extended Validation (EV) certificate, which involves a manual validation process and is not available through Let's Encrypt.

When you manually provide a CSR file, you would have already had to create a private key in order to do that, so the file should already exist somewhere. You probably used something like openssl genrsa ... to generate that file.

The CSR does not contain your private key, so the client has no way of storing the key in a file of your choice. That would be up to you.

For the previously mentioned reasons, that would not be possible.

Thanks for the explanation! In hindsight maybe I should have guessed about the “missing” key since I’m the one who set up the self-signed certificate originally. :slight_smile:

I have returned to the original configuration that worked, and we are up and running. Much obliged!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.