How should I retrieve the Octopus Azure certificate in custom scripts?

In BootstrapDeployToAzure.ps1 we have:

$certificate = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
    -ArgumentList @($OctopusAzureCertificateFileName, $OctopusAzureCertificatePassword)

Set-AzureSubscription -CurrentStorageAccount $OctopusAzureStorageAccountName
    -SubscriptionName $OctopusAzureSubscriptionName
    -SubscriptionId $OctopusAzureSubscriptionId
    -Certificate $certificate

The variables $OctopusAzureCertificateFileName and $OctopusAzureCertificatePassword aren’t available in “regular” powershell step scripts, nor are they something we can hard-code. I’d like to use them to perform some custom Azure interactions after some manual intervention steps. The tricky part is understanding how to get hold of the cert + password, if that is at all possible. So my steps look like:

  1. Azure Deploy
  2. Manual Intervention
  3. Custom Powershell (does some Azure stuff)
  4. Manual Intervention
  5. Custom Powershell (does some Azure stuff)

Where 3 & 5 are hard to get configured correctly.

Can you give any advice? Ultimately I want to end up running some powershell after deploying to Azure, with the correct subscription all set and ready to go.


Thanks for getting in touch! In 3.0 the Azure configuration and support is changing and this will provide a much nicer solution for you.
Until then the only workaround would be to put the certs in a variable and use that.

Hope that helps!

Thanks for the reply!

Do you have any suggestions regarding exactly how I should save the certificate out to a variable?

To be honest I struggle with the transition from Bash to Powershell. It’s is a really weird mix of OOP, character arrays and piping :wink: So I can’t just assign the certificate to an Octopus variable (which must be a string), but serialising it up (BinaryFormatter->MemoryStream->Base64 and back) feels long-winded. Copying the .pfx file elsewhere to make it available in later steps feels untidy, too.

I feel like I’m missing something much simpler - so just probing for any specific suggestions, really?

Thanks again :slight_smile:

Hi there

You’re right it feels all wrong, but the Base64 and back is probably your best option right now. Like Vanessa said, we do want to make this better and we will soon.