diff --git a/README.md b/README.md
index 9d1807aa..c75a2e85 100644
--- a/README.md
+++ b/README.md
@@ -97,7 +97,7 @@ GLOBAL OPTIONS:
 									digitalocean: DO_AUTH_TOKEN
 									dnsimple: DNSIMPLE_EMAIL, DNSIMPLE_API_KEY
 									route53: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
-									rfc2136: RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_NAMESERVER, RFC2136_ZONE
+									rfc2136: RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER, RFC2136_ZONE
 									manual: none
    --help, -h								show help
    --version, -v							print the version
diff --git a/acme/client.go b/acme/client.go
index 769b17e0..bc641144 100644
--- a/acme/client.go
+++ b/acme/client.go
@@ -319,7 +319,6 @@ func (c *Client) RenewCertificate(cert CertificateResource, bundle bool) (Certif
 				// Success - append the issuer cert to the issued cert.
 				issuerCert = pemEncode(derCertificateBytes(issuerCert))
 				issuedCert = append(issuedCert, issuerCert...)
-				cert.Certificate = issuedCert
 			}
 		}
 
diff --git a/cli.go b/cli.go
index 893d1cda..cb30fc1c 100644
--- a/cli.go
+++ b/cli.go
@@ -50,6 +50,12 @@ func main() {
 			Name:   "run",
 			Usage:  "Register an account, then create and install a certificate",
 			Action: run,
+			Flags: []cli.Flag{
+				cli.BoolFlag{
+					Name:  "no-bundle",
+					Usage: "Do not create a certificate bundle by adding the issuers certificate to the new certificate.",
+				},
+			},
 		},
 		{
 			Name:   "revoke",
@@ -70,6 +76,10 @@ func main() {
 					Name:  "reuse-key",
 					Usage: "Used to indicate you want to reuse your current private key for the new certificate.",
 				},
+				cli.BoolFlag{
+					Name:  "no-bundle",
+					Usage: "Do not create a certificate bundle by adding the issuers certificate to the new certificate.",
+				},
 			},
 		},
 	}
@@ -124,7 +134,7 @@ func main() {
 				"\n\tdigitalocean: DO_AUTH_TOKEN" +
 				"\n\tdnsimple: DNSIMPLE_EMAIL, DNSIMPLE_API_KEY" +
 				"\n\troute53: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION" +
-				"\n\trfc2136: RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_NAMESERVER, RFC2136_ZONE" +
+				"\n\trfc2136: RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER, RFC2136_ZONE" +
 				"\n\tmanual: none",
 		},
 	}
diff --git a/cli_handlers.go b/cli_handlers.go
index cdf4dca8..324ec17f 100644
--- a/cli_handlers.go
+++ b/cli_handlers.go
@@ -203,7 +203,7 @@ func run(c *cli.Context) {
 		logger().Fatal("Please specify --domains or -d")
 	}
 
-	cert, failures := client.ObtainCertificate(c.GlobalStringSlice("domains"), true, nil)
+	cert, failures := client.ObtainCertificate(c.GlobalStringSlice("domains"), !c.Bool("no-bundle"), nil)
 	if len(failures) > 0 {
 		for k, v := range failures {
 			logger().Printf("[%s] Could not obtain certificates\n\t%s", k, v.Error())
@@ -300,7 +300,7 @@ func renew(c *cli.Context) {
 
 	certRes.Certificate = certBytes
 
-	newCert, err := client.RenewCertificate(certRes, true)
+	newCert, err := client.RenewCertificate(certRes, !c.Bool("no-bundle"))
 	if err != nil {
 		logger().Fatalf("%s", err.Error())
 	}