Certificate process for IIS

I’ve been trying to move to a process flow where I use octopus to store and install certificates onto our Windows Server (using IIS), but keep struggling with the initial load of it.

Our usual process has been:

  1. Create a CSR in IIS
  2. Provide the CSR to our SSL store and purchase the certificate
  3. Receive a .crt file from the store
  4. Do a “Complete certificate request” in IIS (note: we do usually sacrifice a small animal or child before doing this because of all the issues we’ve had in years past with actually importing certs into IIS!)
  5. In Octopus, set up bindings with self-managed certificate, using manually-ascertained thumbprint.
  6. Deploy and everything works wonderfully.

I’ve tried doing all of the above by doing the import of the certificate via Octopus, but it doesn’t actually do a “completion of CSR”, instead it just does an import, and so it all fails because it doesn’t link the imported public key with our existing private key.

The only way I’ve found to make it work is:

  1. Follow steps 1 to 4 as per above
  2. Export the full certificate via IIS (or MMC) - including setting a password
  3. Add the full certificate to Octopus certificates library
  4. Add variables and bindings
  5. Run a deployment and everything works

My question is, is there any way to avoid this need to do the import manually onto the server the first time and then export the full cert file for use in Octopus? Is there a “usual” way to do this sort of thing? I’m also thinking about how this would work when we eventually start scaling horizontally.

Thanks in advance!
Bron

I meant to also say, I’ve read through a bunch of existing forum topics but haven’t been able to see this answered elsewhere yet - but if I’ve missed something then my apologies :slight_smile:

Hi Bron,

Thanks for getting in touch! Currently the current method you have noted as working is correct. Whilst we have some future plans to improve the certificate experience in Octopus, we may not be making any changes in this area for some time.

You many have already seen it but our documentation page on Certificates is worth taking a look at if you have not.

If you have any questions or further thoughts at all here, please don’t hesitate to let me know.

Best regards,
Daniel

Thanks Daniel.

Yes I did read that documentation and it did help along the way.

Thanks,
Bron

1 Like