Document --csr flag

README.md

@@ -27,7 +27,7 @@ docker build -t lego .
 #### Features
 
 - Register with CA
-- Obtain certificates
+- Obtain certificates, both from scratch or with an existing CSR
 - Renew certificates
 - Revoke certificates
 - Robust implementation of all ACME challenges
@@ -89,6 +89,7 @@ COMMANDS:
    
 GLOBAL OPTIONS:
    --domains, -d [--domains option --domains option]			Add domains to the process
+   --csr, -c                Certificate signing request filename, if an external CSR is to be used
    --server, -s "https://acme-v01.api.letsencrypt.org/directory"	CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client.
    --email, -m 								Email used for registration and recovery contact.
    --accept-tos, -a							By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
@@ -130,6 +131,14 @@ $ AWS_REGION=us-east-1 AWS_ACCESS_KEY_ID=my_id AWS_SECRET_ACCESS_KEY=my_key lego
 
 Note that `--dns=foo` implies `--exclude=http-01` and `--exclude=tls-sni-01`. lego will not attempt other challenges if you've told it to use DNS instead.
 
+Obtain a certificate given a certificate signing request (CSR) generated by something else:
+
+```bash
+$ lego --email="foo@bar.com" --csr=/path/to/csr.pem run
+```
+
+(lego will infer the domains to be validated based on the contents of the CSR, so make sure the CSR's Common Name and optional SubjectAltNames are set correctly.)
+
 lego defaults to communicating with the production Let's Encrypt ACME server. If you'd like to test something without issuing real certificates, consider using the staging endpoint instead:
 
 ```bash