Is there any way to make the Tentacle use a certificate from the Windows Certificate store instead of feeding a PFX file into it?
Our scenario is that our systems are issued a certificate from a CA. This certificate’s private key is not exportable so I can’t get a PFX file to feed into the Tentacle configuration.
This problem is limited to a Windows Tentacle, not an SSH target. On Windows (and especially with .NET) it isn’t very difficult to use certificates out of the certificate store, so it seems odd to require the use of a PFX file.
This would also apply to the server certificate for the Tentacle listener when in polling mode.
Thanks
Hi,
Thanks for getting in touch.
Currently there is no way to make Tentacle use a certificate from the Windows Certificate store. I can understand your frustration trying to use a certificate from the store that is not exportable.
It isn’t very difficult to use certificates out of the certificate store and we could use them in Octopus. I’ll try to explain why we don’t.
We implemented the “import” command as the exception rather than the rule mainly to allow the use of pre-baked certificates when automating Tentacle installation on machines that are unable to generate their own certificate. As a side effect you can use certificates issued by a CA but we encourage you not to.
In the interest of your sanity and security we suggest you use the self-signed certificates generated by Tentacle when it is installed. I’d like to learn more about your situation, do you have a particular requirement to use CA issue certificates?
Cheers,
Shane
Some of our customers, notably our US Government ones, require that they issue all certificates.
I read the Octopus blog post on why use self-signed certificates. I generally agree with most of the points, however, the main point it is missing is control. Control over certificate policy, revocation, private keys, etc.
We may be able to get by with it as is on the tentacle side since we will be using polling mode and the certificate is only used for SSL client authentication from what I can tell. I’ll have to have some discussions on our end. Otherwise it may be a no-go for us.
Hi,
I can empathize with your circumstances. I have had some discussions on our end and we feel that if this is going to be a show-stopper for you and it is largely outside of your control (your customer requirements) then we should do something for you.
I have added an item to our backlog to allow the use of certificate from the certificate store. You can track it here: https://github.com/OctopusDeploy/Issues/issues/2616
Hope this helps.
Cheers,
Shane
Thank you, I have added a comment to the backlog item. If I can help with it in anyway, please let me know.