Import custom certificate to OD using import-certificate

A feedback to the import-certificate function in OctopusDeploy:
I tried to import several custom PFX files to be used by my OctopusDeploy service but failed as no PFX contained the private key, according to the error message. However, each PFX did contain a private key. This I could e.g. verify by importing each (PFX) certs into Win cert store and export the same with the private key. The PFX files were created using both the export functionality in Win cert.store (MMC>Certificates) as well as from using the cmd line tool OpenSSL.
The failing OD command I was running (as admin) was (like):

Octopus.Server.exe import-certificate --from-file=“C:\Temp\foo.pfx” --pfx-password=“123456” --console

The error messages was like the following (from $\AppData\Local\Octopus\Logs\OctopusServer.txt):

INFO Octopus Deploy: Server version 3.4.10 (3.4.10+Branch.master.Sha.XXXXXXXXXXXXXXXXXXXXXXXX1)
INFO Importing the certificate stored in PFX file in C:\Temp\foo.pfx using the provided password…
WARN The X509 certificate CN=octopusdeploy, C=SE was loaded but the private key was not loaded.
Furthermore, the private key file could not be located: Unable to obtain private key file name
ERROR ===============================================================================
FATAL Unable to load X509 Certificate file. The X509 certificate file you provided does not include the private key.
[…]

The code in OctopusDeploy called WINAPI CryptAcquireCertificatePrivateKey(…) and this function generated a silent error when returning false. Using Windows ‘GetLastError’ functionality, the error message was “Invalid provider type specified”. Thus, some googling…
A successfully workaround was to follow the steps outlined in c# - "Invalid provider type specified" CryptographicException when trying to load private key of certificate - Stack Overflow (, based on remyblok.tweakblogs.net/blog/11803/converting-certificate-to-use-csp-storage-provider-in-stead-of-cng-storage-provider). It consists of converting a PFX (with a CNG private key) to another PFX (with a private key stored as RSA).
I.e, running in cmd as admin:

OpenSSL pkcs12 -in “foo.pfx” -nokeys -out “foo.cer” -passin “pass:123456”
OpenSSL pkcs12 -in “foo.pfx” -nocerts -passin “pass:123456” -passout “pass:123456” -out “foo.pem”
OpenSSL rsa -inform PEM -in “foo.pem” -passin “pass:123456” -passout “pass:123456” -out “foo.rsa”
OpenSSL pkcs12 -export -in “foo.cer” -inkey “foo.rsa” -passin “pass:123456” -passout “pass:123456” -out “foo.RSA.pfx”

, and finally

Octopus.Server.exe import-certificate --from-file=“C:\Temp\foo.RSA.pfx” --pfx-password=“123456” --console

==> Certificate imported successfully in OctopusDeploy

Hi Mathias,

Thank you for the excellent detective work. I am looking into whether we are going to support CNG private keys. In the mean time I will update the error to something more informative.

How did you generate the private key? Powershell, makecert, ADCS or another method?

Robert W

Hello Robert

This is how the private keys (for the pfx:s) were generated:

· The certificate was created using PowerShell Cmdlet New-SelfSignedCertificate on a Win8.1 computer, e.g.

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname OctopusServer
Then the certificate, together with its private key, was exported to a PFX using Microsoft Management Console (MMC). This PFX could not be imported as a custom cert in OD.

· OpenSSL, version 1.0.2e, was used to create a p12, following Create a .pfx/.p12 Certificate File Using OpenSSL - SSL.com

/mathias

From: Robert Wagner [mailto:tender2+d019f94925@tenderapp.com]
Sent: Friday, October 7, 2016 7:11 AM
To: mathias.danielsson@trustweaver.com
Subject: Re: Import custom certificate to OD using import-certificate [Beta Testing and Feedback #187]

// Please reply above this line

From: Robert Wagner (Support staff)
Hi Mathias,
Thank you for the excellent detective work. I am looking into whether we are going to support CNG private keys. In the mean time I will update the error to something more informative.
How did you generate the private key? Powershell, makecert, ADCS or another method?
Robert W
On Tue, Oct 04 at 08:29 AM PDT, mathias.danielsson wrote:
A feedback to the import-certificate function in OctopusDeploy:
I tried to import several custom PFX files to be used by my OctopusDeploy service but failed as no PFX contained the private key, according to the error message. However, each PFX did contain a private key. This I could e.g. verify by importing each (PFX) certs into Win cert store and export the same with the private key. The PFX files were created using both the export functionality in Win cert.store (MMC>Certificates) as well as from using the cmd line tool OpenSSL.
The failing OD command I was running (as admin) was (like):

Octopus.Server.exe import-certificate --from-file=“C:\Temp\foo.pfx” --pfx-password=“123456” --console
The error messages was like the following (from $\AppData\Local\Octopus\Logs\OctopusServer.txt):

INFO Octopus Deploy: Server version 3.4.10 (3.4.10+Branch.master.Sha.XXXXXXXXXXXXXXXXXXXXXXXX1)
INFO Importing the certificate stored in PFX file in C:\Temp\foo.pfx using the provided password…
WARN The X509 certificate CN=octopusdeploy, C=SE was loaded but the private key was not loaded.
Furthermore, the private key file could not be located: Unable to obtain private key file name

Hi Mathias,

Thank you for that. I’ve opened a GitHub issue for this, which will add it to our backlog.

I’ve tried a few things, but I can’t make a compatible cert with powershell. Makecert.exe should still work though.

Robert W