Skip to main content

Certbot: Issue and install private CA Manager certificate for NGINX, values read from CSR file

Command syntax

At the command-line prompt, use the below command syntax to issue and install a private CA Manager certificate for the NGINX web server, reading certificate values from a certificate signing request (CSR) file:

sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} --csr {MY-CSR-FILE}

Fill in values for the command arguments shown in curly braces, as described below:

Command argument

Description

{MY-KEY-IDENTIFIER}

The external account binding key identifier (KID) of the desired certificate profile in DigiCert​​®​​ Trust Lifecycle Manager.

{MY-HMAC-KEY}

The external account binding HMAC key of the certificate profile.

{ACME-URL}

The ACME Directory URL. For hosted DigiCert® ONE accounts, use https://one.digicert.com/mpki/api/v1/acme/v2/directory

{MY-CONFIG-DIR}

The local directory path that stores your Certbot configuration files for the current application. The configuration files here control how and where Certbot installs the certificates it downloads. If you omit the --config-dir option, Certbot will check in the /etc/letsencrypt directory by default.

{MY-CSR-FILE}

The path to your certificate signing request (CSR) file.

Example command:

sudo certbot --nginx --register-unsafely-without-email --eab-kid abcdef8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key EEEraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_other_webserver_config/ --csr my_csr_file.csr

Usage notes

  • Use the --csr option to read the certificate domains from a CSR file instead of entering them on the command-line with the -d option.

  • When using the --csr option, the requested certificate profile in DigiCert​​®​​ Trust Lifecycle Manager must be based on the CA Manager Private Server Certificate template and must have the From CSR option selected for the Subject DN Common name field. See Create an ACME-based profile for private CA Manager certificates.

  • If the requested certificate matches an existing order, DigiCert​​®​​ Trust Lifecycle Manager applies the default automation action for that order (see ACME automation actions). If there is no matching order, or if the ACME URL includes ?action=enroll, Trust Lifecycle Manager treats it as a new order and enrolls the new certificate for you.

  • This command only works for private certificates issued from CAs in DigiCert® CA Manager. For public certificates, you must use additional options to validate the domain through Certbot. For examples, see here (DNS-01 validation method) and here (HTTP-01 validation method).