Skip to main content

Certbot: Issue and install private CA Manager certificate for NGINX, values read from CSR file

Command syntax

At the command-line prompt, use the below command syntax to issue and install a private CA Manager certificate for the NGINX web server, reading certificate values from a certificate signing request (CSR) file:

sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} --csr {MY-CSR-FILE}

Fill in values for the command arguments shown in curly braces, as described below:

Command argument

Description

{MY-KEY-IDENTIFIER}

The EAB key identifier (KID). For DigiCert​​®​​ Trust Lifecycle Manager. accounts, use certificate profile.

{MY-HMAC-KEY}

The EAB HMAC key.

{ACME-URL}

For hosted DigiCert® ONE accounts, use https://one.digicert.com/mpki/api/v1/acme/v2/directory

{MY-CONFIG-DIR}

Local path to Certbot configuration files for the current application. These files control how and where Certbot installs certificates. If --config-dir is omitted, Certbot defaults to /etc/letsencrypt.

{MY-CSR-FILE}

The path to your certificate signing request (CSR) file.

Example command:

sudo certbot --nginx --register-unsafely-without-email --eab-kid abcdef8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key EEEraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_other_webserver_config/ --csr my_csr_file.csr

Usage notes

  • Use the --csr option to read the certificate domains from a CSR file instead of entering them on the command-line with the -d option.

  • When using the --csr option, the requested certificate profile in DigiCert​​®​​ Trust Lifecycle Manager must be based on the CA Manager Private Server Certificate template and must have the From CSR option selected for the Subject DN Common name field. See Create an ACME-based profile for private CA Manager certificates.

  • If the requested certificate matches an existing order, DigiCert​​®​​ Trust Lifecycle Manager applies the default automation action for that order (see ACME automation actions). If there is no matching order, or if the ACME URL includes ?action=enroll, Trust Lifecycle Manager treats it as a new order and enrolls the new certificate for you.

  • This command only works for private certificates issued from CAs in DigiCert® Private CA. For public certificates, you must use additional options to validate the domain through Certbot. For examples, see here (DNS-01 validation method) and here (HTTP-01 validation method).