IIS AppPool Identity for new Certificates feature

This is a wonderful addition, but is there a trick to setting read permissions for an App Pool Identity? If I try “IIS AppPool\app-pool-name,” it can’t seem to find it. If i just use “app-pool-name” by itself, it seems to almost work, but then it fails with “The trust relationship between the primary domain and the trusted domain failed.” This may be an issue on the machine itself, but looking at the failure’s stacktrace, I see it’s trying to translate the name. if I run (in LINQPad):

var account = new System.Security.Principal.NTAccount("app-pool-name");
var result = account.Translate(typeof(System.Security.Principal.SecurityIdentifier));

I get back an SID, though I’m running that as a domain user, of course. It looks like the tentacles run as SYSTEM, so maybe that’s why? Sorry if this is something simple, but I though I’d check to see if there was something obvious I was missing before I dig in too much deeper. I’m using version 3.11.2 Thanks!

OctopusLog.txt (2 KB)

Hi Adam,

Thank-you for the kind words. I’m sorry you’ve hit this issue.

If you are planning to use the certificate to configure a HTTPS binding in Octopus (as shown in the attached image), you don’t need to explicitly grant the app-pool access to the private-key. We take care of that automatically for you.
I am going to update our docs to make this clear.

Out of curiousity, I tested your approach, and was able to successfully grant access to the app-pool account. I used the “IIS AppPool\app-pool-name” format. Is it possible that in your case the app-pool isn’t created at the time the Import Certificate step is running?


Hi Michael,

Thanks for taking a look for me. In this case, it’s a certificate that will be used by a website, but it isn’t one that is specifically for an HTTPS binding, but that’s good to know about the automatic permissions.

After you confirmed that it did work with the “IIS AppPool\app-pool-name” format, I tried a few other combinations and finally just hard-coded the name. That worked, which led me to the realization that the variable I was using was out of scope for that particular step/environment combination. So, the problem is completely on my end, and not yours at all, which is a bit embarrassing, but I’m glad to get it solved either way. Thanks so much for the update, the feature, and a great product! Sorry about the mixup.


Not a problem at all. I’m glad to hear it’s working for you now.

Happy Deployments!