tentacle.exe import-certificate --from-file=F:\Temp\***.pfx -pfx-password=*** --console
Importing the certificate stored in PFX file in F:\Temp\***.pfx using the provided password…
PFX file F:\Temp\***.pfx contains multiple certificates, taking the first one.
The X509 certificate C=DE, S=Hessen, L=Frankfurt am Main, O=***, OU=***, CN=*** was loaded but the private key was not loaded.
Furthermore, the private key file could not be located: Unable to obtain private key file name
===============================================================================
Unable to load X509 Certificate file. The X509 certificate file you provided does not include the private key. Please make sure the private key is included in your X509 certificate file and try again.
System.Security.Cryptography.CryptographicException
at Octopus.Tentacle.Security.Certificates.CertificateEncoder.FromPfxFile(String pfxFilePath, String password, ILog log) in CertificateEncoder.cs:line 40
at Octopus.Tentacle.Commands.ImportCertificateCommand.Start() in ImportCertificateCommand.cs:line 78
at Octopus.Tentacle.Startup.AbstractCommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions) in AbstractCommand.cs:line 80
at Octopus.Tentacle.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in ConsoleHost.cs:line 34
at Octopus.Tentacle.Startup.OctopusProgram.RunHost(ICommandHost host) in OctopusProgram.cs:line 204
at Octopus.Tentacle.Startup.OctopusProgram.Run() in OctopusProgram.cs:line 155
From my understanding of the error message the tentacle import-certificate command does not correctly follow the certificate chain to the leaf certificate. The leaf certificate has its private key exported to the pfx file and could successfully be used with other tools. I have no influence on the certificate itself because it is delivered from our central it security department.
Did anyone else has experience with this behaviour? Did you find any solution for this problem? Is there a possibility to directly enter the certificate information into the config file?
Welcome to the forums and thankyou for contacting Octopus Support.
I am sorry to hear you are running into an issue when trying to change a tentacle certificate. I have not had that error when trying to change the tentacle certificate but I have had the error when trying to import a certificate into the Octopus certificate store if it was a chain certificate.
I ended up using this article here (see the title ‘Creating a .pem with the Private Key and Entire Trust Chain’ at the end of the article) to build my certificate (it needs to be built in a specific order with the private key first).
If you notice in the error you see this -
PFX file F:\Temp\***.pfx contains multiple certificates, taking the first one.
So Octopus expects the first certificate to be the primary key as that is how they should be built, some applications will take them in a different order (https websites for example will) but Octopus wont I am afraid.
The easiest way around this would be to get your security team to regenerate that certificate in the order mentioned in that article but if that is not an option you would need to:
Get all of the individual certificates from that certificate chain from your security team.
Open them all individually in notepad and copy them in the order stated in that article and paste them into a blank notepad file.
You can then go into your tentacle config files (usually located C:\Octopus\ tentacleinstancename) and paste the certificate chain contents in there and save it (you may need to stop the tentacle service before you can edit the config file).
You could, also, create the certificate chain cert once you have got all the individual ones pasted into a notepad doc and then use our documentation to import that certificate as that would be easier than manually changing the config file.
Let me know if that helps, it would be easier for your security team to check the certificate they have given you and make sure the private key is in there first, if it is let me know but thats usually why you see that error message.
thank you for your helpful advices. Manually modifying and copying content into the config files seems not to be an optimal solution for us. So we will try to argue with our team which is responsible for the security scans why Octopus uses self signed certificates for the tentacles. The reasons therefore are documented in your online documentation and your blog.
If I need any further assistance I’ll let you know. Thanks in advance and have a nice day.
No problem at all, glad I could help, if you do need us reach out, we don’t have too many customers using their own tentacle and Octopus server certificates but there are a few (which is why we have guides on how to do it so it is easy for customers to use their own certificates).
The self signed ones are usually more than adequate for security audits but it does depend on your own infrastructure and requirements.
