Importing custom certificate to Octopus Server

Legacy Infrastructure
1

Hi there!

I am trying to import the custom certificate to Octopus Server, as described in https://octopus.com/docs/how-to/how-to-use-custom-certificates-with-octopus-server-and-tentacle

I generate and export the certificate with following:

$cert = New-SelfSignedCertificate -certstorelocation Cert:\CurrentUser\My -FriendlyName “Test Cert” -Subject “CN=Octopus”
$pwd = ConvertTo-SecureString -String “Passw0rd!” -Force -AsPlainText
Export-PfxCertificate -cert $cert -FilePath C:\temp\test-cert.pfx -Password $pwd

When I try to import this certificate, as such:
Octopus.Server.exe import-certificate --from-file=“C:\Temp\test-cert.pfx” --pfx-password=“Passw0rd!” --console

If gives me this error:

Importing the certificate stored in PFX file in C:\Temp\test-cert.pfx using the provided password…
The X509 certificate CN=Octopus was loaded but the private key was not loaded.
Furthermore, the private key file could not be located: Unable to obtain private key file name

Unable to load X509 Certificate file. The X509 certificate file you provided does not include the private key. Please make sure the private key is included in your X509 certificate file and try again.
System.Security.Cryptography.CryptographicException
at Octopus.Shared.Security.Certificates.CertificateEncoder.FromPfxFile(String pfxFilePath, String password)

Is there anything specific about the certificate for the Octopus? Key is definately there. I manually imported this cert to windows and it does show an available private key.

Thank you.

2

Hi,

Thanks for getting in touch! I’m sorry for the delay here. Currently the developers are looking further into this issue. However, I was able to replicate this behavior on my system, it looks like if the certs created at Cert:\CurrentUser\My it is not a CNG key, and Octopus.Server.exe can not import it.

It looks like this command should work if you change the -certstorelocation Cert:\CurrentUser\My to Cert:\LocalMachine\My. Would you be able to confirm that this lets you import the certificate correctly?

We are still looking into this a bit more. We will create a GitHub issue when we have some more information.

Let me know how you go with this or if you have any further questions.

Best regards,
Daniel

3

Followup: It is a CNG-related. I added -Provider “Microsoft Strong Cryptographic Provider” to New-SelfSignedCertificate and import now works.

4

Hi,

Thanks for the followup, I will pass this onto the team! Feel free to get in touch any time. :slight_smile:

Best regards,
Daniel