diff --git a/CHANGELOG.md b/CHANGELOG.md
index 88199b0..9e73838 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.6] - 2023-06-03
+
+### Added
+ - Allow path arguments with or without the correct extension
+ - Warn user before renewal if path has (wrong) extension
 
 ## [0.2.5] - 2023-06-02
 
diff --git a/Cargo.lock b/Cargo.lock
index 690f292..cc1e9f1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1438,7 +1438,7 @@ checksum = "436b050e76ed2903236f032a59761c1eb99e1b0aead2c257922771dab1fc8c78"
 
 [[package]]
 name = "renewc"
-version = "0.2.4"
+version = "0.2.5"
 dependencies = [
  "async-trait",
  "axum",
@@ -1463,6 +1463,7 @@ dependencies = [
  "rand",
  "rcgen",
  "shared_memory",
+ "strum",
  "tempfile",
  "time",
  "tokio",
@@ -1792,6 +1793,28 @@ version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
 
+[[package]]
+name = "strum"
+version = "0.24.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "063e6045c0e62079840579a7e47a355ae92f60eb74daaf156fb1e84ba164e63f"
+dependencies = [
+ "strum_macros",
+]
+
+[[package]]
+name = "strum_macros"
+version = "0.24.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e385be0d24f186b4ce2f9982191e7101bb737312ad61c1f2f984f34bcf85d59"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "rustversion",
+ "syn 1.0.109",
+]
+
 [[package]]
 name = "syn"
 version = "1.0.109"
diff --git a/main/Cargo.toml b/main/Cargo.toml
index e7c23fd..6fb6053 100644
--- a/main/Cargo.toml
+++ b/main/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "renewc"
-version = "0.2.5"
+version = "0.2.6"
 authors = ["David Kleingeld <opensource@davidsk.dev>"]
 edition = "2021"
 description = "Certificate renewal, with advanced diagnostics without installing anything"
@@ -12,8 +12,7 @@ keywords = ["cli", "certificate", "acme"]
 categories = ["command-line-utilities"]
 
 [dependencies]
-# instant-acme = { version = "^0.3.2" }
-instant-acme = { git = "https://github.com/instant-labs/instant-acme", branch = "http-client-bounds" }
+instant-acme = { version = "^0.3.2" }
 x509-parser = "0.15"
 tracing = { version = "0.1" }
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
@@ -43,6 +42,7 @@ yasna = "0.5"
 async-trait = "0.1"
 data-encoding = "2.4"
 pem = "2"
+strum = { version = "0.24.1", features = ["derive"] }
 
 [dev-dependencies]
 libc = "0.2"
diff --git a/main/src/cert/format.rs b/main/src/cert/format.rs
index 61d953e..a787809 100644
--- a/main/src/cert/format.rs
+++ b/main/src/cert/format.rs
@@ -120,7 +120,4 @@ mod tests {
         let pem: Pem = der.to_pem(Label::Certificate);
         assert_eq!(pem.into_bytes(), ROOT_CA);
     }
-
-    #[test]
-    fn parse_chain() {}
 }
diff --git a/main/src/cert/io.rs b/main/src/cert/io.rs
index e0dfa17..94337ac 100644
--- a/main/src/cert/io.rs
+++ b/main/src/cert/io.rs
@@ -1,30 +1,9 @@
 use std::fs;
 use std::io::ErrorKind;
-use std::path::{Path, PathBuf};
+use std::path::Path;
 
 use color_eyre::eyre::{self, Context};
 use color_eyre::Help;
-use tracing::instrument;
-
-#[instrument(level = "debug", ret)]
-pub(crate) fn derive_path(cert_path: &Path, name: &str, ty: &str, extension: &str) -> PathBuf {
-    let mut path = dir(cert_path);
-    path.set_file_name(format!("{name}_{ty}"));
-    path.set_extension(extension);
-    path
-}
-
-pub(super) fn dir(cert_path: &Path) -> PathBuf {
-    let dir = if cert_path.is_file() {
-        cert_path
-            .parent()
-            .expect("is never none if parent was a file")
-    } else {
-        cert_path
-    };
-
-    dir.to_path_buf()
-}
 
 pub(super) fn read_any_file(path: &Path) -> eyre::Result<Option<Vec<u8>>> {
     match fs::read(path) {
@@ -39,41 +18,3 @@ pub(super) fn read_any_file(path: &Path) -> eyre::Result<Option<Vec<u8>>> {
         Ok(bytes) => Ok(Some(bytes)),
     }
 }
-
-pub(super) fn name(domains: &[impl AsRef<str>]) -> eyre::Result<String> {
-    let shortest = domains
-        .iter()
-        .map(AsRef::as_ref)
-        .min_by_key(|d| d.len())
-        .unwrap();
-    let last_dot = shortest
-        .rfind('.')
-        .ok_or_else(|| eyre::eyre!("shortest domain has no top level domain [org/net/com etc]"))?;
-    let (name, _extension) = shortest.split_at(last_dot);
-    if let Some(last_dot) = name.rfind('.') {
-        let (_subdomains, name) = name.split_at(last_dot + 1);
-        Ok(name.to_string())
-    } else {
-        Ok(name.to_string())
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn extract_name() {
-        let domains = [
-            "example.org",
-            "subdomain.example.org",
-            "subsubdomain.subdomain.example.org",
-            "another.example.org",
-            "even_more.example.org",
-            "a.nm.org",
-            "subdomain.nm.org",
-        ];
-
-        assert_eq!(name(&domains).unwrap(), "nm");
-    }
-}
diff --git a/main/src/cert/load.rs b/main/src/cert/load.rs
index df82d3d..c6fcd7a 100644
--- a/main/src/cert/load.rs
+++ b/main/src/cert/load.rs
@@ -1,6 +1,6 @@
 use std::io::ErrorKind;
 
-use crate::config::{Output, OutputConfig};
+use crate::config::{Encoding, OutputConfig};
 use crate::Config;
 use color_eyre::eyre::{self, Context};
 use color_eyre::Help;
@@ -9,38 +9,7 @@ use tracing::instrument;
 use super::format::{Der, Label, PemItem};
 use super::{MaybeSigned, Signed};
 
-use super::io::{derive_path, name, read_any_file};
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum Encoding {
-    PEM,
-    DER,
-    #[cfg(feature = "derchain")]
-    PKCS12,
-}
-
-impl Encoding {
-    pub(crate) fn extension(self) -> &'static str {
-        match self {
-            Encoding::PEM => "pem",
-            Encoding::DER => "der",
-            #[cfg(feature = "derchain")]
-            Encoding::PKCS12 => "pkcs12",
-        }
-    }
-}
-
-impl From<&Output> for Encoding {
-    fn from(output: &Output) -> Self {
-        match output {
-            Output::Pem
-            | Output::PemSeperateKey
-            | Output::PemSeperateChain
-            | Output::PemAllSeperate => Encoding::PEM,
-            Output::Der => Encoding::DER,
-        }
-    }
-}
+use super::io::read_any_file;
 
 // TODO: remove Option, report errors upstream as warnings <03-05-23, dvdsk>
 #[instrument(level = "debug", skip(config), ret)]
@@ -75,27 +44,17 @@ pub fn from_disk<P: PemItem>(config: &Config) -> eyre::Result<Option<Signed<P>>>
 #[instrument(level = "debug", skip(config), err)]
 fn load_seperate_chain<P: PemItem>(config: &Config) -> eyre::Result<Vec<P>> {
     let OutputConfig {
-        output,
-        certificate_path,
-        chain_path,
-        ..
+        output, chain_path, ..
     } = &config.output_config;
-    let encoding = Encoding::from(output);
-    let path = match chain_path {
-        None => derive_path(
-            certificate_path,
-            &name(&config.domains)?,
-            "chain",
-            encoding.extension(),
-        ),
-        Some(path) => path.clone(),
-    };
 
+    let encoding = Encoding::from(output);
     match encoding {
         Encoding::DER => {
             let mut chain = Vec::new();
             for i in 0.. {
-                let path = path.with_file_name(format!("{i}_chain.der"));
+                let path = chain_path
+                    .as_path()
+                    .with_file_name(format!("{i}_chain.der"));
                 let bytes = match std::fs::read(&path) {
                     Ok(bytes) => bytes,
                     Err(e) if e.kind() == ErrorKind::NotFound => break,
@@ -110,7 +69,7 @@ fn load_seperate_chain<P: PemItem>(config: &Config) -> eyre::Result<Vec<P>> {
         }
 
         Encoding::PEM => {
-            let Some(bytes) = read_any_file(&path)? else {
+            let Some(bytes) = read_any_file(chain_path.as_path())? else {
                 return Ok(Vec::new());
             };
             P::chain_from_pem(bytes)
@@ -122,23 +81,12 @@ fn load_seperate_chain<P: PemItem>(config: &Config) -> eyre::Result<Vec<P>> {
 fn load_seperate_private_key<P: PemItem>(config: &Config) -> eyre::Result<Option<P>> {
     let OutputConfig {
         output,
-        certificate_path,
         key_path,
         ..
     } = &config.output_config;
     let encoding = Encoding::from(output);
 
-    let path = match key_path {
-        None => derive_path(
-            certificate_path,
-            &name(&config.domains)?,
-            "key",
-            encoding.extension(),
-        ),
-        Some(path) => path.clone(),
-    };
-
-    let Some(bytes) = read_any_file(&path)? else {
+    let Some(bytes) = read_any_file(key_path.as_path())? else {
         return Ok(None);
     };
 
@@ -152,25 +100,15 @@ fn load_seperate_private_key<P: PemItem>(config: &Config) -> eyre::Result<Option
 fn load_certificate<P: PemItem>(config: &Config) -> eyre::Result<Option<MaybeSigned<P>>> {
     let OutputConfig {
         output,
-        certificate_path,
+        cert_path,
         ..
     } = &config.output_config;
-    let encoding = Encoding::from(output);
-    let path = if certificate_path.is_dir() {
-        derive_path(
-            certificate_path,
-            &name(&config.domains)?,
-            "cert",
-            encoding.extension(),
-        )
-    } else {
-        certificate_path.clone()
-    };
 
-    let Some(bytes) = read_any_file(&path)? else {
+    let Some(bytes) = read_any_file(cert_path.as_path())? else {
         return Ok(None);
     };
 
+    let encoding = Encoding::from(output);
     match encoding {
         Encoding::PEM => MaybeSigned::from_pem(bytes)
             .map(Option::Some)
diff --git a/main/src/cert/store.rs b/main/src/cert/store.rs
index c428c22..8bd9bd2 100644
--- a/main/src/cert/store.rs
+++ b/main/src/cert/store.rs
@@ -1,17 +1,15 @@
 use std::fs;
 use std::io::Write;
-use std::path::{Path, PathBuf};
+use std::path::Path;
 
 use super::format::PemItem;
-use super::io::{derive_path, name};
-use super::load::Encoding;
 use super::Signed;
 use color_eyre::eyre::{self, Context};
 use color_eyre::Help;
 use itertools::Itertools;
-use tracing::instrument;
+use tracing::{instrument, warn};
 
-use crate::config::{Output, OutputConfig};
+use crate::config::{Encoding, Output, OutputConfig};
 use crate::Config;
 
 #[instrument(level = "debug", skip(certificate))]
@@ -27,8 +25,7 @@ fn write_cert(
     match operation {
         Operation::Append(path) => {
             let mut file = fs::OpenOptions::new().append(true).open(path)?;
-            file
-                .write_all(&bytes)
+            file.write_all(&bytes)
                 .wrap_err("Could not append signed certificate to pem file")
         }
         Operation::Create(path) => {
@@ -53,8 +50,7 @@ fn write_key(
     match operation {
         Operation::Append(path) => {
             let mut file = fs::OpenOptions::new().append(true).open(path)?;
-            file
-                .write_all(&bytes)
+            file.write_all(&bytes)
                 .wrap_err("Could not append private key to pem file")
         }
         Operation::Create(path) => {
@@ -102,11 +98,18 @@ enum Operation<'a> {
 #[instrument(level = "debug", skip(config, signed), ret)]
 pub fn on_disk<P: PemItem>(config: &Config, signed: Signed<P>) -> eyre::Result<()> {
     use Operation::{Append, Create};
-    let cert_path = cert_path(config)?;
-    let key_path = key_path(config)?;
-    let chain_path = chain_path(config)?;
+    let OutputConfig {
+        output,
+        cert_path,
+        key_path,
+        chain_path,
+    } = &config.output_config;
 
-    let encoding = Encoding::from(&config.output_config.output);
+    let cert_path = cert_path.as_path();
+    let key_path = key_path.as_path();
+    let chain_path = chain_path.as_path();
+
+    let encoding = Encoding::from(output);
     let Signed {
         certificate,
         private_key,
@@ -115,90 +118,26 @@ pub fn on_disk<P: PemItem>(config: &Config, signed: Signed<P>) -> eyre::Result<(
 
     match config.output_config.output {
         Output::Pem => {
-            write_chain(encoding, chain, &cert_path)?;
-            write_cert(encoding, certificate, Append(&cert_path))?;
-            write_key(encoding, private_key, Append(&cert_path))?;
+            write_chain(encoding, chain, cert_path)?;
+            write_cert(encoding, certificate, Append(cert_path))?;
+            write_key(encoding, private_key, Append(cert_path))?;
         }
         Output::PemSeperateKey => {
-            write_chain(encoding, chain, &cert_path)?;
-            write_cert(encoding, certificate, Append(&cert_path))?;
-            write_key(encoding, private_key, Create(&key_path))?;
+            write_chain(encoding, chain, cert_path)?;
+            write_cert(encoding, certificate, Append(cert_path))?;
+            write_key(encoding, private_key, Create(key_path))?;
         }
         Output::PemSeperateChain => {
-            write_chain(encoding, chain, &chain_path)?;
-            write_cert(encoding, certificate, Create(&cert_path))?;
-            write_key(encoding, private_key, Append(&cert_path))?;
+            write_chain(encoding, chain, chain_path)?;
+            write_cert(encoding, certificate, Create(cert_path))?;
+            write_key(encoding, private_key, Append(cert_path))?;
         }
         Output::PemAllSeperate | Output::Der => {
-            write_chain(encoding, chain, &chain_path)?;
-            write_cert(encoding, certificate, Create(&cert_path))?;
-            write_key(encoding, private_key, Create(&key_path))?;
+            write_chain(encoding, chain, chain_path)?;
+            write_cert(encoding, certificate, Create(cert_path))?;
+            write_key(encoding, private_key, Create(key_path))?;
         }
     }
 
     Ok(())
 }
-
-#[instrument(level = "debug", ret, skip(config))]
-fn cert_path(config: &Config) -> eyre::Result<PathBuf> {
-    let OutputConfig {
-        output,
-        certificate_path,
-        ..
-    } = &config.output_config;
-
-    let encoding = Encoding::from(output);
-
-    Ok(if certificate_path.is_dir() {
-        derive_path(
-            certificate_path,
-            &name(&config.domains)?,
-            "cert",
-            encoding.extension(),
-        )
-    } else {
-        certificate_path.clone()
-    })
-}
-
-#[instrument(level = "debug", ret, skip(config))]
-fn chain_path(config: &Config) -> eyre::Result<PathBuf> {
-    let OutputConfig {
-        output,
-        certificate_path,
-        chain_path,
-        ..
-    } = &config.output_config;
-
-    let encoding = Encoding::from(output);
-    Ok(match chain_path {
-        None => derive_path(
-            certificate_path,
-            &name(&config.domains)?,
-            "chain",
-            encoding.extension(),
-        ),
-        Some(path) => path.clone(),
-    })
-}
-
-#[instrument(level = "debug", ret, skip(config))]
-fn key_path(config: &Config) -> eyre::Result<PathBuf> {
-    let OutputConfig {
-        output,
-        certificate_path,
-        key_path,
-        ..
-    } = &config.output_config;
-
-    let encoding = Encoding::from(output);
-    Ok(match key_path {
-        None => derive_path(
-            certificate_path,
-            &name(&config.domains)?,
-            "key",
-            encoding.extension(),
-        ),
-        Some(path) => path.clone(),
-    })
-}
diff --git a/main/src/config.rs b/main/src/config.rs
index cd6bdde..b1fda65 100644
--- a/main/src/config.rs
+++ b/main/src/config.rs
@@ -1,12 +1,17 @@
-use std::path::PathBuf;
-use std::str::FromStr;
+use std::path::Path;
+
+use color_eyre::eyre;
+use strum::EnumIter;
 
 use crate::diagnostics;
 
 use self::args::RenewArgs;
+use self::paths::{ChainPath, KeyPath};
 
 mod args;
-pub use args::{Commands, InstallArgs, OutputConfig};
+mod paths;
+pub use args::{Commands, InstallArgs, OutputArgs};
+use paths::{CertPath, name};
 
 #[derive(clap::ValueEnum, Debug, Clone, Default, PartialEq, Eq)]
 /// How to store the output.
@@ -49,6 +54,61 @@ pub enum Output {
     PKCS12AllSeperate,
 }
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq, EnumIter)]
+pub enum Encoding {
+    PEM,
+    DER,
+    #[cfg(feature = "derchain")]
+    PKCS12,
+}
+
+impl Encoding {
+    pub(crate) fn extension(self) -> &'static str {
+        match self {
+            Encoding::PEM => "pem",
+            Encoding::DER => "der",
+            #[cfg(feature = "derchain")]
+            Encoding::PKCS12 => "pkcs12",
+        }
+    }
+}
+
+impl From<&Output> for Encoding {
+    fn from(output: &Output) -> Self {
+        match output {
+            Output::Pem
+            | Output::PemSeperateKey
+            | Output::PemSeperateChain
+            | Output::PemAllSeperate => Encoding::PEM,
+            Output::Der => Encoding::DER,
+        }
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct OutputConfig {
+    pub output: Output,
+    pub cert_path: CertPath,
+    pub key_path: KeyPath,
+    pub chain_path: ChainPath,
+}
+
+impl OutputConfig {
+    fn new(args: OutputArgs, name: &str) -> Result<Self, eyre::Report> {
+        Ok(OutputConfig {
+            cert_path: CertPath::new(&args.output, &args.certificate_path, name)?,
+            key_path: KeyPath::new(&args.output, &args.certificate_path, args.key_path, name)?,
+            chain_path: ChainPath::new(
+                &args.output,
+                &args.certificate_path,
+                args.chain_path,
+                name,
+            )?,
+            output: args.output,
+        })
+    }
+}
+
 #[allow(clippy::struct_excessive_bools)]
 #[derive(Debug, Clone)]
 pub struct Config {
@@ -56,7 +116,7 @@ pub struct Config {
     pub(crate) email: Vec<String>,
     pub production: bool,
     pub(crate) port: u16,
-    pub output_config: args::OutputConfig,
+    pub output_config: OutputConfig,
     pub reload: Option<String>,
     pub(crate) renew_early: bool,
     pub(crate) overwrite_production: bool,
@@ -66,46 +126,41 @@ pub struct Config {
     pub diagnostics: diagnostics::Config,
 }
 
-impl From<RenewArgs> for Config {
-    fn from(args: RenewArgs) -> Self {
-        Config {
+impl TryFrom<RenewArgs> for Config {
+    type Error = eyre::Report;
+
+    fn try_from(args: RenewArgs) -> Result<Self, Self::Error> {
+        let name = name(&args.domain)?;
+        let output_config = OutputConfig::new(args.output_config, &name)?;
+        Ok(Config {
             domains: args.domain,
             email: args.email,
             production: args.production,
             port: args.port,
-            output_config: args.output_config,
+            output_config,
             reload: args.reload,
             force: args.force,
             renew_early: args.renew_early,
             overwrite_production: args.overwrite_production,
             non_interactive: false,
             diagnostics: diagnostics::Config::default(),
-        }
-    }
-}
-
-// TODO: dont pass outputconfig to 
-// run/renew only to store on disk function <03-05-23, dvdsk>
-impl args::OutputConfig {
-    fn test() -> Self {
-        Self {
-            output: Output::default(),
-            certificate_path: PathBuf::from_str("test").unwrap(),
-            key_path: None,
-            chain_path: None,
-        }
+        })
     }
 }
 
 impl Config {
     #[must_use]
-    pub fn test(port: u16) -> Self {
+    pub fn test(port: u16, dir: &Path) -> Self {
+        let domains = vec!["testdomain.org".into()];
+        let name = name(&domains).unwrap();
+        let output_args = OutputArgs::test(dir);
+        let output_config = OutputConfig::new(output_args, &name).unwrap();
         Config {
-            domains: vec!["testdomain.org".into()],
+            domains,
             email: vec!["test@testdomain.org".into()],
             production: false,
             port,
-            output_config: args::OutputConfig::test(),
+            output_config,
             reload: None,
             renew_early: false,
             force: false,
diff --git a/main/src/config/args.rs b/main/src/config/args.rs
index 75fd5e3..4553140 100644
--- a/main/src/config/args.rs
+++ b/main/src/config/args.rs
@@ -1,7 +1,7 @@
 use clap::{Parser, Subcommand, ValueHint};
-use std::path::PathBuf;
-use std::str::FromStr;
 use time::macros::format_description;
+use std::path::{PathBuf, Path};
+use std::str::FromStr;
 
 use super::Output;
 
@@ -97,11 +97,11 @@ pub struct RenewArgs {
 
     // the options in the Output struct are added at the end
     #[clap(flatten)]
-    pub output_config: OutputConfig,
+    pub output_config: OutputArgs,
 }
 
 #[derive(Parser, Debug, Clone)]
-pub struct OutputConfig {
+pub struct OutputArgs {
     /// How to store the output, encoding and ways to split
     /// the file between files.
     #[clap(long, short, value_enum, default_value_t = Output::PemSeperateKey)]
@@ -111,7 +111,8 @@ pub struct OutputConfig {
     /// certificate possibly with its private key and/or chain
     /// (depending on the selected Output option).
     ///
-    /// Note: The file extension depends on the chosen format.
+    /// Note: The correct file extension is added automatically 
+    /// if left unspecified. It depends on the chosen output format.
     #[clap(long, short, value_hint=ValueHint::FilePath)]
     pub certificate_path: PathBuf,
 
@@ -123,7 +124,8 @@ pub struct OutputConfig {
     /// certificate-path's dir and the file name will be the shortest
     /// part of the domain(s).
     ///
-    /// Note: The file extension depends on the chosen format.
+    /// Note: The correct file extension is added automatically 
+    /// if left unspecified. It depends on the chosen output format.
     #[clap(long, value_hint=ValueHint::FilePath)]
     pub key_path: Option<PathBuf>,
 
@@ -135,8 +137,20 @@ pub struct OutputConfig {
     /// certificate-path's dir and the file name will be the shortest
     /// part of the domain(s).
     ///
-    /// Note: The file extension depends on the chosen format.
     /// Note: Can not be used when the format is set to Der.
+    /// Note: The correct file extension is added automatically 
+    /// if left unspecified
     #[clap(long, value_hint=ValueHint::FilePath)]
     pub chain_path: Option<PathBuf>,
 }
+
+impl OutputArgs {
+    #[must_use] pub fn test(dir: &Path) -> Self {
+        Self {
+            output: Output::default(),
+            certificate_path: dir.to_owned(),
+            key_path: None,
+            chain_path: None,
+        }
+    }
+}
diff --git a/main/src/config/paths.rs b/main/src/config/paths.rs
new file mode 100644
index 0000000..cca5fae
--- /dev/null
+++ b/main/src/config/paths.rs
@@ -0,0 +1,155 @@
+use color_eyre::{eyre, Help};
+use std::path::{Path, PathBuf};
+use tracing::warn;
+
+
+use super::{Encoding, Output};
+
+mod derive;
+use derive::derive_path;
+pub(super) use derive::name;
+
+fn push_extension(path: &Path, extension: &'static str) -> PathBuf {
+    assert!(!extension.starts_with('.'));
+    let curr = path
+        .extension()
+        .expect("should only be called on files with an extension");
+    let new = {
+        let mut curr = curr.to_os_string();
+        curr.push(".");
+        curr.push(extension);
+        curr
+    };
+    path.with_extension(new)
+}
+
+pub(super) fn fix_extension(encoding: Encoding, path: &Path) -> eyre::Result<PathBuf> {
+    use strum::IntoEnumIterator;
+
+    let Some(extention) = path.extension() else {
+        return Ok(path.with_extension(encoding.extension()))
+    };
+
+    let Some(extension) = extention.to_str() else {
+        // non utf8 extension can be a valid path still but it is
+        // unlikely (name.<non_utf>) could be a valid file path
+        warn!("Path contains non utf8 extension. While not a problem 
+              when renewing certificates it can cause issues loading the
+              certificate in another application.");
+        return Ok(push_extension(path, encoding.extension()))
+    };
+
+    if extention == encoding.extension() {
+        return Ok(path.to_path_buf());
+    }
+
+    for wrong in Encoding::iter().map(Encoding::extension) {
+        if extension == wrong {
+            return Err(eyre::eyre!("File path has wrong extension"))
+                .with_note(|| format!("extension is: \"{extension}\""))
+                .with_note(|| format!("only valid extension is {}", encoding.extension()))
+                .suggestion(
+                    "Leave out the extension, the correct extension will be added for you",
+                );
+        }
+    }
+
+    return Ok(push_extension(path, encoding.extension()));
+}
+
+#[derive(Debug, Clone)]
+pub struct CertPath(PathBuf);
+
+impl CertPath {
+    pub fn as_path(&self) -> &Path {
+        &self.0
+    }
+    pub fn new(output: &Output, cert_path: &Path, name: &str) -> eyre::Result<Self> {
+        let encoding = Encoding::from(output);
+
+        Ok(CertPath(if cert_path.is_dir() {
+            derive_path(cert_path, name, "cert", encoding.extension())
+        } else {
+            fix_extension(encoding, cert_path)?
+        }))
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct KeyPath(PathBuf);
+
+impl KeyPath {
+    pub fn as_path(&self) -> &Path {
+        &self.0
+    }
+    pub fn new(
+        output: &Output,
+        cert_path: &Path,
+        chain_path: Option<PathBuf>,
+        name: &str,
+    ) -> eyre::Result<Self> {
+        let encoding = Encoding::from(output);
+        Ok(KeyPath(match chain_path {
+            None => derive_path(cert_path, name, "chain", encoding.extension()),
+            Some(path) => fix_extension(encoding, &path)?,
+        }))
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct ChainPath(PathBuf);
+
+impl ChainPath {
+    pub fn as_path(&self) -> &Path {
+        &self.0
+    }
+
+    pub fn new(
+        output: &Output,
+        cert_path: &Path,
+        chain_path: Option<PathBuf>,
+        name: &str,
+    ) -> eyre::Result<Self> {
+        let encoding = Encoding::from(output);
+        Ok(ChainPath(match chain_path {
+            None => derive_path(cert_path, name, "key", encoding.extension()),
+            Some(path) => fix_extension(encoding, &path)?,
+        }))
+    }
+}
+
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn no_extension() {
+        let path = Path::new("/etc/ssl/test.test");
+        assert_eq!(
+            fix_extension(Encoding::PEM, path).unwrap(),
+            PathBuf::from("/etc/ssl/test.test.pem")
+        );
+
+        let path = Path::new("/etc/ssl/test");
+        assert_eq!(
+            fix_extension(Encoding::PEM, path).unwrap(),
+            PathBuf::from("/etc/ssl/test.pem")
+        );
+
+        let path = Path::new("/etc/ssl/test");
+        assert_eq!(
+            fix_extension(Encoding::DER, path).unwrap(),
+            PathBuf::from("/etc/ssl/test.der")
+        );
+    }
+
+    #[test]
+    fn wrong_extension() {
+        let path = Path::new("/etc/ssl/test.test.der");
+        assert!(fix_extension(Encoding::PEM, path).is_err());
+
+        let path = Path::new("/etc/ssl/test.pem");
+        assert!(fix_extension(Encoding::DER, path).is_err());
+    }
+}
diff --git a/main/src/config/paths/derive.rs b/main/src/config/paths/derive.rs
new file mode 100644
index 0000000..d51d187
--- /dev/null
+++ b/main/src/config/paths/derive.rs
@@ -0,0 +1,61 @@
+use color_eyre::eyre;
+use std::path::{Path, PathBuf};
+use tracing::instrument;
+
+#[instrument(level = "debug", ret)]
+pub(crate) fn derive_path(cert_path: &Path, name: &str, ty: &str, extension: &str) -> PathBuf {
+    let mut path = dir(cert_path);
+    path.set_file_name(format!("{name}_{ty}"));
+    path.set_extension(extension);
+    path
+}
+
+pub fn name(domains: &[impl AsRef<str>]) -> eyre::Result<String> {
+    let shortest = domains
+        .iter()
+        .map(AsRef::as_ref)
+        .min_by_key(|d| d.len())
+        .unwrap();
+    let last_dot = shortest
+        .rfind('.')
+        .ok_or_else(|| eyre::eyre!("shortest domain has no top level domain [org/net/com etc]"))?;
+    let (name, _extension) = shortest.split_at(last_dot);
+    if let Some(last_dot) = name.rfind('.') {
+        let (_subdomains, name) = name.split_at(last_dot + 1);
+        Ok(name.to_string())
+    } else {
+        Ok(name.to_string())
+    }
+}
+
+pub(super) fn dir(cert_path: &Path) -> PathBuf {
+    let dir = if cert_path.is_file() {
+        cert_path
+            .parent()
+            .expect("is never none if parent was a file")
+    } else {
+        cert_path
+    };
+
+    dir.to_path_buf()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn extract_name() {
+        let domains = [
+            "example.org",
+            "subdomain.example.org",
+            "subsubdomain.subdomain.example.org",
+            "another.example.org",
+            "even_more.example.org",
+            "a.nm.org",
+            "subdomain.nm.org",
+        ];
+
+        assert_eq!(name(&domains).unwrap(), "nm");
+    }
+}
diff --git a/main/src/main.rs b/main/src/main.rs
index 8b13e17..733767f 100644
--- a/main/src/main.rs
+++ b/main/src/main.rs
@@ -37,7 +37,7 @@ async fn main() -> eyre::Result<()> {
     let mut stdout = std::io::stdout();
     match cli.command {
         Commands::Run(args) => {
-            let config = Config::from(args);
+            let config = Config::try_from(args)?;
             let Some(certs): Option<Signed<pem::Pem>> = run(&mut InstantAcme {}, &mut stdout, &config, debug).await? else {
                 return Ok(());
             };
diff --git a/main/tests/behaviour.rs b/main/tests/behaviour.rs
index 57b31a6..21f1a90 100644
--- a/main/tests/behaviour.rs
+++ b/main/tests/behaviour.rs
@@ -16,8 +16,7 @@ async fn production_does_not_overwrite_valid_production() {
     let mut acme = TestAcme::new(gen_cert::valid());
     let dir = tempfile::tempdir().unwrap();
 
-    let mut config = Config::test(42);
-    config.output_config.certificate_path = dir.path().join("cert.pem");
+    let mut config = Config::test(42, &dir.path().join("test"));
     config.output_config.output = Output::Pem;
     config.production = true;
 
@@ -53,8 +52,7 @@ async fn staging_does_not_overwrite_production() {
     let mut acme = TestAcme::new(gen_cert::valid());
     let dir = tempfile::tempdir().unwrap();
 
-    let mut config = Config::test(42);
-    config.output_config.certificate_path = dir.path().join("cert.pem");
+    let mut config = Config::test(42, &dir.path().join("test_cert"));
     config.output_config.output = Output::Pem;
     config.production = true;
 
@@ -101,8 +99,7 @@ async fn staging_overwrites_expired_production() {
     let dir = tempfile::tempdir().unwrap();
     let mut acme = TestAcme::new(gen_cert::expired());
 
-    let mut config = Config::test(42);
-    config.output_config.certificate_path = dir.path().join("cert.pem");
+    let mut config = Config::test(42, &dir.path().join("test_cert"));
     config.output_config.output = Output::Pem;
     config.production = true;
 
@@ -140,13 +137,12 @@ async fn corrupt_existing_does_not_crash() {
 
     let dir = tempfile::tempdir().unwrap();
 
-    let mut config = Config::test(42);
-    config.output_config.certificate_path = dir.path().join("cert.pem");
+    let mut config = Config::test(42, &dir.path().join("test_cert"));
     config.output_config.output = Output::Pem;
     config.production = true;
 
     let corrupt_data = "-----BEGIN CERTIFisrtens-----\r\n 128972184ienst\r\n-----END";
-    std::fs::write(&config.output_config.certificate_path, corrupt_data).unwrap();
+    std::fs::write(config.output_config.cert_path.as_path(), corrupt_data).unwrap();
 
     let mut acme = TestAcme::new(gen_cert::valid());
     config.production = false;
diff --git a/main/tests/diagnostics.rs b/main/tests/diagnostics.rs
index 03ee1ba..0e8d603 100644
--- a/main/tests/diagnostics.rs
+++ b/main/tests/diagnostics.rs
@@ -1,14 +1,13 @@
 use renewc::renew::InstantAcme;
 use renewc::{run, Config};
 use pem::Pem;
+use tempfile::tempdir;
 
 mod shared;
 
 #[cfg(target_os = "linux")]
 #[tokio::test]
 async fn haproxy_binds_port() {
-    use tempfile::tempdir;
-
     shared::setup_color_eyre();
     shared::setup_tracing();
 
@@ -22,7 +21,7 @@ async fn haproxy_binds_port() {
     let ha_config = ha_config.replace("<PORT>", &bound_port.to_string());
     std::fs::write(&path, ha_config).unwrap();
 
-    let mut config = Config::test(bound_port);
+    let mut config = Config::test(bound_port, &dir.path().join("test_cert"));
     config.diagnostics.haproxy.path = path;
 
     let err = run::<Pem>(&mut InstantAcme {}, &mut std::io::stdout(), &config, true)
@@ -43,7 +42,8 @@ async fn insufficent_permissions() {
     shared::setup_color_eyre();
     shared::setup_tracing();
 
-    let config = Config::test(42);
+    let dir = tempdir().unwrap();
+    let config = Config::test(42, &dir.path().join("test_cert"));
 
     let err = run::<Pem>(&mut InstantAcme {}, &mut std::io::stdout(), &config, true)
         .await
diff --git a/main/tests/format.rs b/main/tests/format.rs
index 8f9247b..cc2ea96 100644
--- a/main/tests/format.rs
+++ b/main/tests/format.rs
@@ -13,14 +13,12 @@ async fn der_and_pem_equal() {
     shared::setup_tracing();
 
     let dir = tempfile::tempdir().unwrap();
-    let path = dir.path().join("cert.pem");
 
     let valid_till = OffsetDateTime::now_utc();
     let original: Signed<Pem> = gen_cert::generate_cert_with_chain(valid_till, false);
 
-    let mut config = Config::test(42);
+    let mut config = Config::test(42, &dir.path().join("test_cert"));
     config.production = false;
-    config.output_config.certificate_path = path;
 
     for format in [
         Output::Pem,
diff --git a/main/tests/shared/gen_cert.rs b/main/tests/shared/gen_cert.rs
index 0ec444e..f1b5aa5 100644
--- a/main/tests/shared/gen_cert.rs
+++ b/main/tests/shared/gen_cert.rs
@@ -78,6 +78,7 @@ pub fn valid() -> OffsetDateTime {
     OffsetDateTime::from_unix_timestamp(16_734_790_789).unwrap()
 }
 
+#[allow(dead_code)]
 pub fn expired() -> OffsetDateTime {
     OffsetDateTime::from_unix_timestamp(1_683_145_489).unwrap()
 }
diff --git a/main/tests/shared/mod.rs b/main/tests/shared/mod.rs
index 13057eb..da8103b 100644
--- a/main/tests/shared/mod.rs
+++ b/main/tests/shared/mod.rs
@@ -62,13 +62,15 @@ pub fn setup_tracing() {
 mod tests {
     use pem::Pem;
     use renewc::{Config, ACME};
+    use tempfile::tempdir;
 
     use super::*;
 
     #[tokio::test]
     async fn acme_test_impl_pem_has_private_key() {
+        let dir = tempdir().unwrap();
         let acme = TestAcme::new(valid());
-        let cert: Signed<Pem> = acme.renew(&Config::test(42), true).await.unwrap();
+        let cert: Signed<Pem> = acme.renew(&Config::test(42, &dir.path().join("test_cert")), true).await.unwrap();
 
         dbg!(&cert.private_key);
         let private_key = String::from_utf8(cert.private_key.into_bytes()).unwrap();
diff --git a/setup_crosscompile/src/main.rs b/setup_crosscompile/src/main.rs
index dbeac38..a099e65 100644
--- a/setup_crosscompile/src/main.rs
+++ b/setup_crosscompile/src/main.rs
@@ -48,17 +48,15 @@ fn main() {
     musl_compilers.insert("arm-unknown-linux-musleabihf", "arm-linux-musleabihf-cross");
 
     let target_arch = env::args().nth(1).expect("needs arch as argument");
-    let compiler_name = musl_compilers.get(target_arch.as_str()).expect(&format!(
-        "unsupported arch: {target_arch}\nvalid options are: {:?}",
-        musl_compilers.keys().collect::<Vec<_>>()
-    ));
+    let compiler_name = musl_compilers.get(target_arch.as_str()).unwrap_or_else(|| panic!("unsupported arch: {target_arch}\nvalid options are: {:?}",
+        musl_compilers.keys().collect::<Vec<_>>()));
 
     let dir = PathBuf::from("../compilers");
     if !dir.is_dir() {
         fs::create_dir(&dir).unwrap();
     }
 
-    if !dir.join(&compiler_name).is_dir() {
+    if !dir.join(compiler_name).is_dir() {
         download_compiler(dir, compiler_name);
     }
 }