Certificate Replacement Does Actually Replace

(john.hossbach) #1

I’m trying out the certificate deployment features of Octopus for the first time and I’m running into a problem that I’m hoping is just me missing something obvious: When I deploy a certificate after replacing it, the old certificate isn’t removed.

I followed the following steps to setup my environment:

  1. Added the certificate per https://octopus.com/docs/deployment-examples/certificates/add-certificate
  2. Setup a project and added the Import Certificate step template by Octopus (Octopus.Certificate.Import).
  3. Deployed to my test server.
  4. Replaced the certificate per https://octopus.com/docs/deployment-examples/certificates/replace-certificate
  5. Deployed to my test server.

The result was that I now have two certificates with the same friendly name and different expiration dates.

I’m also wondering if the Replace feature offers a rollback option.

#3

Hi John,

Thanks for getting in touch, and I can understand the confusion here!

When implementing this feature we tried to minimize the opportunity that we have to do harm so while we replace the Certificate on the Octopus Server we chose not to replace it on any destination target. What we do in this case is deploy the new certificate when a deployment occurs for any projects that reference the certificate, and that application that has been deployed will now reference the updated certificate however, as you noticed, we don’t remove the current certificate.

There are a few reasons why, the primary concern is not being able to determine as part of a deployment whether any other applications are using this certificate. It would be incredibly bad if as part of a deployment other applications failed. This is something we are hoping to address as part of our Operations Processes feature that we are currently working on, which is designed to allow for maintenance items such as this outside of an application deployment. We haven’t started active development yet (starting in the next few weeks) so I wouldn’t expect this anytime soon.

Hope that all makes sense, let me know if there is anything else that I can help with.

Regards,
Alex

(john.hossbach) #4

I mean, I guess that’s where the administrator comes in right? :slight_smile:

As an interim solution, can you add a checkbox that would enable/disable the certificate deletion by subject name? The default would be disabled for the concerns you noted above.

(system) closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.