I’ve been trying to move to a process flow where I use octopus to store and install certificates onto our Windows Server (using IIS), but keep struggling with the initial load of it.
Our usual process has been:
- Create a CSR in IIS
- Provide the CSR to our SSL store and purchase the certificate
- Receive a .crt file from the store
- Do a “Complete certificate request” in IIS (note: we do usually sacrifice a small animal or child before doing this because of all the issues we’ve had in years past with actually importing certs into IIS!)
- In Octopus, set up bindings with self-managed certificate, using manually-ascertained thumbprint.
- Deploy and everything works wonderfully.
I’ve tried doing all of the above by doing the import of the certificate via Octopus, but it doesn’t actually do a “completion of CSR”, instead it just does an import, and so it all fails because it doesn’t link the imported public key with our existing private key.
The only way I’ve found to make it work is:
- Follow steps 1 to 4 as per above
- Export the full certificate via IIS (or MMC) - including setting a password
- Add the full certificate to Octopus certificates library
- Add variables and bindings
- Run a deployment and everything works
My question is, is there any way to avoid this need to do the import manually onto the server the first time and then export the full cert file for use in Octopus? Is there a “usual” way to do this sort of thing? I’m also thinking about how this would work when we eventually start scaling horizontally.
Thanks in advance!