Group permission issue with Import Certificate Step for certs managed by Octopus Deploy

OctopusDeploy version 3.15.0
We currently are running into an issue with applying permissions to a group (COMPUTERNAME\IIS_IUSRS) for a certificate that is managed by octopus deploy.
According to the ‘Add Access Rule’ help text it implies this should work with users or groups “The user or group identity. e.g. DOMAIN\userOrGroup”. We’ve tried specifying the computer name and FQDN for the computer but does not seem to work properly -however seems to work fine when we apply permissions to a specific user (i.e. COMPUTERNAME\test.user).

The error being thrown is:
"There was an error importing the certificate into the store
Could not set security on private-key

Some or all identity references could not be translated.

The remote script failed with exit code 100
"

Any help would be appreciated. Attached screenshot .

Hi Larry,

Thanks for getting in touch! I’ve tried to reproduce the behaviour you are seeing. I can get the same error if I use IIS_IUSRS_WRONG or a mis-spelling like IIS_IUSR. However, if I specify IIS_IUSRS the deployment succeeds.

I didn’t qualify the group name with the computer name, just plain old IIS_IUSRS. Perhaps try that and get back to me if you still have a problem.

Here’s a screenshot of my step:

As a side note, are you sure you want to grant rights to the IIS_IUSRS group, meaning all web app pools will have access to that private key? By default Octopus will grant the required minimum rights to the actual App Pool’s identity to make that Web Site work correctly. It also works if you use the same certificate for many web sites, like a wildcard certificate. This would mean you don’t need any special/non-default configuration.

Hope that helps!
Mike