Tentacle Thumbprints

I have a a scenario where we need to use octopus to deploy database scripts out to production.

The production environment for the SQL database is in a clustered environment and we have two servers. Now we have installed the tentacles on both servers but this would deploy the scripts out to the same environment twice.

Is there a way we can get octopus to deploy to only one of the servers. One way i had thought about this was to have the same thumbprint for each tentacle and intall them as one machine in the environment under the clustered address. That way the cluster would take care of which server it would deploy to.

Would this be at all possible


One way to do this is to create a role (“primary-db-server” for example) and to only assign one machine to that role, and have the DB package deployed to only that role.

To share the same certificate between the two machines you’ll need to copy the value of the registry entry HKLM\Software\Octopus\Cert-cn=Octopus Tentacle from one machine to another.


This is not valid anymore as Tentacle does not store this in registry. Certificate is stored in the Tentacle.config file in a serialised form along with the thumbprint. Could you please mention the format of this serialised form so that we can use custom certificates or share the certificate for clusters.

Many Thanks.

HI Bunny - we have certificate export and import coming in 2.4, some details at https://github.com/OctopusDeploy/Issues/issues/353#issuecomment-38012235


I am attempting to auto-enroll a tentacle through a remote PowerShell command (I have over 300 servers I need to do). I am struggling at the part where I can auto-enroll the tentacle to the server because I am unable to retrieve the thumbprint of the server that this PowerShell script is running on.

I see that there is a way to “show-thumbprint” using the tentacle.exe application however this will not work for me. I need to be able to obtain the thumbprint via PowerShell and then pass that into my $tentacleEndpoint variable on the Thumbprint property.

$name in this example is the name of the machine that I have a remote PowerShell session open with.

#setup octopus variables
$octopusApiKey = 'MY_API_KEY'
$octopusURI = 'https://MY_OCTOPUS_URL'
$endpoint = new-object Octopus.Client.OctopusServerEndpoint $octopusURI, $octopusApiKey
$repository = new-object Octopus.Client.OctopusRepository $endpoint
$tentacleEndpoint = New-Object Octopus.Client.Model.EndPoints.ListeningTentacleEndpointResource
$tentacleEndpoint.Thumbprint = $tentacleThumbprint 
$tentacleEndpoint.Uri = "https://"+$name+":10933"

$tentacle = New-Object Octopus.Client.Model.MachineResource
$tentacle.Endpoint = $tentacleEndpoint

foreach($environment in (GetEnvironment($name))){ $tentacle.EnvironmentIds.Add($environment); }
foreach($role in (GetMachineRoles($name))){ $tentacle.Roles.Add($role); }

$tentacle.Name = $name;

#create the machine

Hi Ks11747,

You can have the Tentacle register itself from the command like. We have some docs here http://docs.octopusdeploy.com/display/OD/Automating+Tentacle+installation


I am using the powershell that is included in that page. The problem is that I can’t get the tentacle of the machine I am registering. Setting up the tentacle is easy, I am auto registering it with the server, which requires the thumbprint of the tentacle machine… So what’s up with that?


Hi Kyle

Sorry my mistake, didn’t recognize your script.

You can get the Tentacle thumbprint by executing Tentacle.exe show-thumbprint as a command. (Add a --no-logo option to make it easier to parse). I’ll update the doco to make that clearer.



I’m not using the command line. I’m using powershell in a remote powershell session. I’ll try to remotely execute the command line interface through a .cmd file but so far I’ve been unsuccessful at running that. I was hoping there was a powershell example that would setup the service (much like the command line version) that I would be able to use and then capture the thumbprint from that. Is that possible?

Kyle Schultz
Manager of Enterprise Architecture

3750 Priority Way South Drive, Suite200
Indianapolis, IN 46240
Mobile: 765.401.1452tel:765.401.1452

Sent from Outlookhttp://aka.ms/Ox5hz3 on my mobile device, please forgive any typos.

Hi Kyle,

Are you setting up the Tentacle remotely? Via the command line already ?
Otherwise, you could read the config file directly, if you look in the Octopus directory on the Tentacle machine you’ll find a config file, the thumbprint is in there. (we do reserve the right to change that though).


I am using a powershell script to query active directory for all servers matching certain properties. Then looping through that list, installing chocolates, then octopus tentacle all in a remote powershell session.

Then in that session I am executing a cmd file and having it setup the service (grabbed from the “show script” option in the tentacle manager on a test machine). Then in a remote session I’m executing the powershell script that I included in my original post to register that machine with the server. This is all happening in a single powershell script and is about 190 lines long (so not huge).

I know that the certificate base 64 encrypted is stored in the tentacle.config; so if that is what I need to use I can open that file, read it in as an xml blob and get the value from it. I just figured there was an easier way to do it using the Octopus.Client assembly on the machine that is already setup and configured - but is not yet registered with the octopus server.

So I’m really open to any suggestions at this point because I have around 300 VM’s that I need to do this to, so my script is all ready to run except for the one thing left that to get the thumbprint of the machine to register.

This is basically an Admin instance that our infrastructure team is going to use to do some remote administration and service manipulation and such.


Hi Kyle,

I think your best option will be to register the Tentacle as part of that initial command file, but failing that reading the XML and grabbing the thumbprint will be the easiest.



I have the same issue - is there a away you can output ‘just’ the thumbprint value without the text prior ‘The thumbprint of this tentacle is:’

I do not wish to have to edit the script every time on each server entering my thumbprint manually - this is totally impractical for regisitering multiple servers. Am I missing something - is there another way it can be done?

Hi Jon,

You can get it from the Tentacle.config file using Powershell to parse the XML. The key should look like this

<set key="Tentacle.CertificateThumbprint">9658E8C8A8B3F607B76EC7623B3F05772394DA3C</set>


Hi Dalmiro

Thanks for that – we are looking at the XML extraction.

In the meantime this also works:-

#Get the Thumbprint
$subject = .\Tentacle.exe show-thumbprint --nologo
$result = $subject -creplace ‘((?:The thumbprint of this Tentacle is: )+)(?(?:[0-9a-zA-Z]+))’, ‘${field2}’