Skip to main content

Certbot: Issue and install private CA Manager certificate for NGINX, values read from CSR file

Command syntax

At the command-line prompt, use the below command syntax to issue and install a DigiCert® Private CA certificate for the NGINX web server, reading certificate values from a certificate signing request (CSR) file:

sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} --csr {MY-CSR-FILE}

Fill in values for the command arguments shown in curly braces, as described below:

Command argument

Description

{MY-KEY-IDENTIFIER}

The EAB key identifier (KID) from the certificate profile.

{MY-HMAC-KEY}

Use the EAB HMAC key from the certificate profile.

{ACME-URL}

For hosted DigiCert® ONE accounts, use https://one.digicert.com/mpki/api/v1/acme/v2/directory

{MY-CONFIG-DIR}

Use the local path to Certbot configuration files for the current application.

{MY-CSR-FILE}

The path to your certificate signing request (CSR) file.

Example command:

sudo certbot --nginx --register-unsafely-without-email --eab-kid abcdef8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key EEEraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_other_webserver_config/ --csr my_csr_file.csr

Usage notes

  • Use the --csr option to read the certificate domains from a CSR file instead of entering them on the command-line with the -d option.

  • When using the --csr option, the requested certificate profile in DigiCert​​®​​ Trust Lifecycle Manager must be based on the CA Manager Private Server Certificate template and must have the From CSR option selected for the Subject DN Common name field.

  • If the requested certificate matches an existing order, DigiCert​​®​​ Trust Lifecycle Manager applies the default automation action for that order (see ACME automation actions). If there is no matching order, or if the ACME URL includes ?action=enroll, Trust Lifecycle Manager treats it as a new order and enrolls the new certificate for you.

  • This command only works for private certificates issued from CAs in DigiCert® Private CA. For public certificates, you must use additional options to validate the domain through Certbot. For examples, see here (DNS-01 validation method) and here (HTTP-01 validation method).

In this section: