I’m trying out the certificate deployment features of Octopus for the first time and I’m running into a problem that I’m hoping is just me missing something obvious: When I deploy a certificate after replacing it, the old certificate isn’t removed.
I followed the following steps to setup my environment:
Thanks for getting in touch, and I can understand the confusion here!
When implementing this feature we tried to minimize the opportunity that we have to do harm so while we replace the Certificate on the Octopus Server we chose not to replace it on any destination target. What we do in this case is deploy the new certificate when a deployment occurs for any projects that reference the certificate, and that application that has been deployed will now reference the updated certificate however, as you noticed, we don’t remove the current certificate.
There are a few reasons why, the primary concern is not being able to determine as part of a deployment whether any other applications are using this certificate. It would be incredibly bad if as part of a deployment other applications failed. This is something we are hoping to address as part of our Operations Processes feature that we are currently working on, which is designed to allow for maintenance items such as this outside of an application deployment. We haven’t started active development yet (starting in the next few weeks) so I wouldn’t expect this anytime soon.
Hope that all makes sense, let me know if there is anything else that I can help with.
I mean, I guess that’s where the administrator comes in right?
As an interim solution, can you add a checkbox that would enable/disable the certificate deletion by subject name? The default would be disabled for the concerns you noted above.