We are using a non-standard Apache2 configuration so I decided to use certonly, and the standalone plugin.
./certbot-auto certonly --standalone --staging
I answered the questions interactively and it went well: I ended up with cert.pem and privkey.pem (actually these are symlinks) in a predictable location: /etc/letsencrypt/live/mydomain.com/. I configured Apache to look there for the certificate and key, and all was well. Certificate renewal also worked.
I tried do the same thing but this time supplied a CSR file on the command-line so that the certificate has our company name and location on it:
./certbot-auto certonly --csr certrequest.der --standalone --staging
However, when I specify --csr the certificate and chain files go into the current directory. And I don’t see a key-file anywhere.
So, where is the private key when I use --csr? And is there a way to supply --csr but keep the old behavior where everything goes into /etc/lletsencrypt/live with predictable symlinks?