Tentacle import-certificate error

We are using remote powershell automate installing the agents. Since we can not use the option for it to just create one during config we are creating one local with New-SelfSignedCertificate ans exporting the to a pfx file - Seems we are getting the below error when we do the import-certificate cmd.

Importing the certificate stored in PFX file in C:\Temp\OctopusInstaller\OctoCert.pfx using the provided password…
The X509 certificate was loaded but the private key was not loaded.
Furthermore, the private key file could not be located: Unable to obtain private key file name

Hi tbielejeski,

Thank you for reaching out and I’m sorry that you’ve hit this issue.

I need a bit more information needed so that I can help you out with this issue.

Are you using Octopus Cloud or Octopus Server installed on premise?
What version of Octopus are you running?
When you view the Certificate within Octopus - Does it say that the certificate has a private key as in the below picture?

Can you let me know the command you’re using to create the new-self signed certificate in powershell?

Finally, could you please provide some Raw log files from Octopus for a failed deployment to help diagnose the issue. I’m happy to convert this ticket to a private chat if you wish, before you attach your log file.

Thank you and I’m looking forward to your response.


So this an issue with the Tentacle software install using automation and not the octopus server.

Installer Octopus.Tentacle.5.0.13-x64

Cert creation code

Create a new cert for the Octopus Agent

$result = New-SelfSignedCertificate -DnsName “Octopus” -CertStoreLocation “cert:\LocalMachine\My” # -ProviderName “Microsoft Strong Cryptographic Provider”

$thumbprint = $result.Thumbprint

(Get-ChildItem -Path Cert:\LocalMachine\My$thumbprint).FriendlyName = “Octopus agent”

$path = “cert:\localMachine\my” + $thumbprint

$securePassword = ConvertTo-SecureString -String “InstallMe” -AsPlainText -Force

Export-PfxCertificate -Cert $path -FilePath $FilePath -Password $PfxPW -Verbose | Out-Null

Tentacle Config process

Set-Location “C:\Program Files\Octopus Deploy\Tentacle”

$tentacleConfigFile = $RootFolder + “\Octopus\Tentacle.config”

& .\tentacle.exe create-instance --instance “Tentacle” --config $tentacleConfigFile --console | Write-Output

if ($lastExitCode -ne 0) {

throw “Installation failed on create-instance”


Write-host "Cert Path " $CertPath

& .\tentacle.exe import-certificate --instance “Tentacle” -f $CertPath --console | Write-Output

020-07-03 10:44:33.7055 2692 1 INFO ================================================================================

2020-07-03 10:44:33.7055 2692 1 INFO Changed log folder from C:\Users\webadmin\AppData\Local\Octopus\Logs to c:\Bell\Octopus\Logs

2020-07-03 10:44:33.7211 2692 1 INFO Tentacle.exe version 5.0.13 (5.0.13+Branch.master.Sha.b2d2a46b46612a2bd237d7a2d35cc6ce73b1c9d9) instance Tentacle

2020-07-03 10:44:33.7211 2692 1 INFO Environment Information:

OperatingSystem: Microsoft Windows 6.3.9600

OsBitVersion: x64

Is64BitProcess: True

CurrentUser: MSPWEB010\webadmin

MachineName: MSPWEB010

ProcessorCount: 2

CurrentDirectory: C:\Program Files\Octopus Deploy\Tentacle

TempDirectory: C:\Users\webadmin\AppData\Local\Temp\

HostProcessName: Tentacle

PID: 2692

2020-07-03 10:44:33.7680 2692 1 INFO ==== ImportCertificateCommand ====

2020-07-03 10:44:33.7836 2692 1 INFO CommandLine: C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe import-certificate --instance Tentacle --from-file C:\Temp\OctopusInstaller\OctoCert.pfx --pfx-password ******** --console

2020-07-03 10:44:33.7836 2692 1 INFO Importing the certificate stored in PFX file in C:\Temp\OctopusInstaller\OctoCert.pfx using the provided password…

2020-07-03 10:44:33.8305 2692 1 WARN The X509 certificate CN=Octopus was loaded but the private key was not loaded.

Furthermore, the private key file could not be located: Unable to obtain private key file name

2020-07-03 10:44:33.8305 2692 1 ERROR ===============================================================================

2020-07-03 10:44:33.8461 2692 1 FATAL Unable to load X509 Certificate file. The X509 certificate file you provided does not include the private key. Please make sure the private key is included in your X509 certificate file and try again.


at Octopus.Shared.Security.Certificates.CertificateEncoder.FromPfxFile(String pfxFilePath, String password)

at Octopus.Tentacle.Commands.ImportCertificateCommand.Start()

at Octopus.Shared.Startup.AbstractCommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions)

at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown)

at Octopus.Shared.Startup.OctopusProgram.RunHost(ICommandHost host)

at Octopus.Shared.Startup.OctopusProgram.Run()

2020-07-03 10:44:33.8618 2692 1 FATAL -------------------------------------------------------------------------------

Terminating process with exit code 100

Full error details are available in the log files at:



If you need help, please send these log files to https://octopus.com/support

Hi Tbielejeski,

Thank you for the extra information. Your immediate issue is the fact that you’ve Commented out the -ProviderName. The ProviderName variable is required to make sure the new certificate uses CNG. https://knowledge.digicert.com/generalinformation/INFO1979

Your PrivateKey will not be in the correct form if you haven’t specified -ProviderName. So remove the “#” character.
$result = New-SelfSignedCertificate -DnsName “Octopus” -CertStoreLocation “cert:\LocalMachine\My” -ProviderName “Microsoft Strong Cryptographic Provider”

Because there isn’t the full script within your last comment, I’ve gone ahead and fleshed out a powershell script using the script you provided as a base and this link: https://octopus.com/docs/security/octopus-tentacle-communication/custom-certificates-with-octopus-server-and-tentacle#HowtousecustomcertificateswithOctopusServerandTentacle-ConfiguringOctopusServertousecustomcertificates

I assume based on the code snippet you provided, you were already looking at that page for guidance.
The code could be cleaned up a lot, but this will hopefully help you a little bit further.

#Set Variables:
$rootFolder = “C:\Program Files\Octopus Deploy\”
$tentacleConfigFile = $rootFolder+"Octopus\Tentacle.exe.config"
$certFolderPath = "C:\Users\<username>\Documents\Certificate"
$certFriendlyName = "Octopus Agent"   # Set your FriendlyName here
$certFilePath = (($certFolderPath)+"\"+($certFriendlyName)+".pfx") # Uses the friendly name within the File name for export.
$result = New-SelfSignedCertificate -DnsName “Octopus” -CertStoreLocation “cert:\LocalMachine\My” -Provider “Microsoft Strong Cryptographic Provider” # Provider required for CNG

Set-Location $RootFolder

#Prep Environment - Stop running tentacle services - also works for multiple Tentacle
Get-Service | Where-Object {$_.Name -like "OctopusDeploy Tentacle*"} | Stop-Service 

$thumbprint = $result.Thumbprint # thumbprint doesn't need to be created as you can continually refer to "$result.Thumbprint" in all the following instances
$certObject = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $thumbprint} # This step could be done without extracting Thumbprint from $result. 
$certObject.FriendlyName = $certFriendlyName

#Set Certificate Password
$securePassword = ConvertTo-SecureString -String “InstallMe” -AsPlainText -Force
Export-PfxCertificate -Cert $certObject -FilePath (($certFolderPath)+"\"+($certObject.FriendlyName)+".pfx") -Password $securePassword -Verbose | Out-Null

#Tentacle Configuration
.\Tentacle\Tentacle.exe create-instance `-`-config $tentacleConfigFile `-`-console | Write-Output

if ($lastExitCode -ne 0) {
    throw “Installation failed on create-instance”

.\Tentacle\Tentacle.exe "Import-Certificate" `-`-from-file="$certFilePath" `-`-pfx-password="InstallMe"

#Start Tentacle Service Again
Get-Service | Where-Object {$_.Name -like "OctopusDeploy Tentacle*"} | Start-Service 

I hope this helps but please reach out again if I can help you further.

Happy Deploying.



So the provider is commented out because the Provider is not a supported option on 2012 servers , it is supported on 2016 server and up.

Hi Tbielejeski,

What a shame!

I believe the -Provider argument is based on the version of Powershell installed. According to this page (https://4sysops.com/wiki/differences-between-powershell-versions/) Powershell v5.1. should be available to install on Server 2012 through the Windows Management Framework (https://www.microsoft.com/en-us/download/details.aspx?id=54616). This should allow you to run the new-SelfSignedCertificate command with the -Provider argument.

Alternatively, you can look at tools such as PSPKI. Available from here: https://www.pkisolutions.com/tools/pspki/

This should also allow you to achieve the desired result.

Please let me know if I can be of any more assistance.



This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.