diff --git a/.gitignore b/.gitignore
index 485dee6..b60278c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .idea
+cmd/cert-bundler/testdata/pkg/*
diff --git a/cmd/cert-bundler/Dockerfile b/cmd/cert-bundler/Dockerfile
new file mode 100644
index 0000000..2f7f50d
--- /dev/null
+++ b/cmd/cert-bundler/Dockerfile
@@ -0,0 +1,32 @@
+# Build and runtime image for cert-bundler
+# Usage (from repo root or cmd/cert-bundler directory):
+#   docker build -t cert-bundler:latest -f cmd/cert-bundler/Dockerfile .
+#   docker run --rm -v "$PWD":/work cert-bundler:latest
+# This expects a /work/bundle.yaml file in the mounted directory and
+# will write generated bundles to /work/bundle.
+
+# Build stage
+FROM golang:1.24.3-alpine AS build
+WORKDIR /src
+
+# Copy go module files and download dependencies first for better caching
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy the rest of the source and build the cert-bundler binary
+COPY . .
+RUN go build -o /bin/cert-bundler ./cmd/cert-bundler
+
+# Runtime stage (kept as golang:alpine per requirement)
+FROM golang:1.24.3-alpine
+
+# Create a work directory that users will typically mount into
+WORKDIR /work
+VOLUME ["/work"]
+
+# Copy the built binary from the builder stage
+COPY --from=build /bin/cert-bundler /usr/local/bin/cert-bundler
+
+# Default command: read bundle.yaml from current directory and output to ./bundle
+ENTRYPOINT ["/usr/local/bin/cert-bundler"]
+CMD ["-c", "/work/bundle.yaml", "-o", "/work/bundle"]
diff --git a/cmd/cert-bundler/main.go b/cmd/cert-bundler/main.go
index 3dd4ef7..0f0bb69 100644
--- a/cmd/cert-bundler/main.go
+++ b/cmd/cert-bundler/main.go
@@ -584,7 +584,6 @@ func generateHashFile(path string, files []string) error {
 	return nil
 }
 
-
 // makeUniqueName ensures that each file name within the archive is unique by appending
 // an incremental numeric suffix before the extension when collisions occur.
 // Example: "root.pem" -> "root-2.pem", "root-3.pem", etc.
@@ -599,10 +598,7 @@ func makeUniqueName(name string, used map[string]int) string {
 	base := strings.TrimSuffix(name, ext)
 	// Track a counter per base+ext key
 	key := base + ext
-	counter := used[key]
-	if counter < 1 {
-		counter = 1
-	}
+	counter := max(used[key], 1)
 	for {
 		counter++
 		candidate := fmt.Sprintf("%s-%d%s", base, counter, ext)
diff --git a/cmd/cert-bundler/testdata/bundle.yaml b/cmd/cert-bundler/testdata/bundle.yaml
index 91e369c..840d129 100644
--- a/cmd/cert-bundler/testdata/bundle.yaml
+++ b/cmd/cert-bundler/testdata/bundle.yaml
@@ -2,6 +2,19 @@ config:
   hashes: bundle.sha256
   expiry: 1y
 chains:
+  weird:
+    certs:
+      - root: pems/gts-r1.pem
+        intermediates:
+          - pems/goog-wr2.pem
+      - root: pems/isrg-root-x1.pem
+    outputs:
+      include_single: true
+      include_individual: true
+      manifest: true
+      formats:
+        - zip
+        - tgz
   core_certs:
     certs:
       - root: pems/gts-r1.pem