Best practice for easy IIS certificate management


(blake.duffey) #1

We have an internal Windows CA that we use to issue certificates for our internal DEV/TEST systems. Previously I’ve stored all those certificates in Octopus and assigned them during deployment (via Deploy an IIS Site). Of course, I now have 30 certificates that are getting ready to expire around the same time.

I could re-issue all them from the CA and do the same thing again - but I’m wondering if there is a way to leverage IIS’ ability to renew certs from an internal CA?

Anyone done this with Octopus?


(Michael Richardson) #3

Hi Blake,

This is a great question. I thought I’d highlight a couple of Octopus pieces that would be likely to play a part in a solution for this.

Replace Certificate API Endpoint
There is an API endpoint at /api/certificates/{certificate-id}/replace which is designed for when a certificate has been renewed. It archives the existing certificate and replaces it with the new one. Any Octopus variables which reference the old certificate are automatically now pointing at the new cert.

This can be invoked from the UI, but if you’re automating it then using the Octopus .NET client library is probably the easiest way.

Subscribing to Certificate Expiry Events
Octopus raises events 20-days-prior, 10-days-prior, and on expiry. You can configure subscriptions for these which can invoke a webhook.
This is handy if you want Octopus to be the source of truth for certificate expiry.

I hope that is some help. Unfortunately there is nothing out-of-the-box in Octopus relating to the IIS certificate rebind functionality. But if we can be of any assistance along the way, please don’t hesitate to reach out.

This would make a great blog post :slightly_smiling_face:

Regards,
Michael