I created a certificate by using Microsoft Active Directory Certificate Services, provided by my network administrator for this purpose. Here’s what the UI looks like:
- I don’t have to deal with getting clients to accept the CA, since AD takes care of that.
- It’s (relatively) easy to use.
- There doesn’t appear to be any way to script this.
- I have to create a certificate request on the target web server.
- This also means I have to complete it on that server, which means that it will be installed at the end of the process, negating some of the benefits of storing the certificates in Octopus.
- These certificates don’t appear to work with the Octopus Certificates feature.
To that last point, here is a certificate as loaded into Octopus:
Here’s the relevant section of a deployment which attempts to use that certificate:
To me, it looks like it is installing the certificate into one store, and then trying to look for it in another.
It’s worth noting that if I set the binding using the thumbprint directly instead of a certificate variable, there is no problem. That’s how we are using certificates in all of our environments today, but we get none of the advantages that the Certificates feature provides.
How do I make this work, or where did I go wrong?
I’d also like to understand how others are approaching this problem. For production certificates, we are obviously getting those issued from an external CA, and these should work with the Certificates feature without issue. It’s the task of generating certificates for our non-production environments that will work that concerns me. I have used makecert.exe before, but that had the disadvantages of having to get a CA cert installed to all of the clients, plus no central place to issue certificates from, resulting in me becoming the “cert guy” every time someone needed a new certificate. I looked into Let’s Encrypt, but it seems that a public URL is a prerequisite, and our non-production environments are explicitly non-public as well.
Are there any options out there that make it easy to generate self-signed certificates without a lot of back-and-forth (CSR) that work well in Octopus for non-production environments?