Certificates Feature

February 23, 2017

Octopus Certificates

Certificates become first-class Octopus citizens with Release 3.11!

Last year we asked for your feedback on our initial designs for this feature. The responses were positive and many. It was very clear that automating certificates is a pain in the... deployment pipeline. Hopefully we can ease that a little.

Certificates in Octopus

The Certificates feature allows you to:

Store Certificates

Add Certificate

Certificates can be uploaded in PFX, PEM, or DER formats, and may include private-keys. They can be scoped to Environments and\or Tenants. You can search for certificates, and they provide a visual indication when they are approaching expiry.

Certificate Variables

You can create variable with a certificate as the value.

Certificate Variables

This concept of typed variables is new to Octopus. Understanding the type of a variable opens many possibilities that aren't available when variables are simply text. You can expect to see other types of variables in the future.

Certificate variables are used by the new Import Certificate step, and can also be used in IIS binding configurations.

They can also be used in your own custom scripts. As we suggested in our RFC post for this feature, at deployment time certificate variables are expanded into many variables, essentially simulating O-O properties using dot-notation. See our documentation for the available properties.

Import Certificate Deployment Step

Import Certificate Step

We have added a new Import Certificate step, making it easy to import a certificate managed by Octopus into a Windows Certificate Store as part of your deployment process.

Import Certificate Step details

Reference certificate variables when configuring HTTPS bindings

You can... exactly what the title above suggests.

Certificate in HTTPS binding

Export Certificates

Certificates can be exported in PFX, PEM, or DER formats. Or you can export them exactly as they were originally uploaded.

For PEM format, you can choose whether the private-key is included or not.

Download Certificate

Configure Expiry Notifications

Octopus Subscriptions can be created to fire when a certificate is 20-days-from-expiry, 10-days-from-expiry, or on expiry.

The subscriptions can be configured to send an email or post to a URL. See the Integration section below for a few thoughts on this.

Replace a Certificate

When a replacement is obtained for a certificate that is due to expire, it is likely that you want to replace all usages of the expired certificate with the new one. The Replace feature supports this by allowing you to upload the new certificate file. The new certificate will inherit all the Octopus properties of the old certificate (Name, Environments, etc) including the ID. This has the effect that all referencing variables will now point to the new certificate. The previous certificate is given a new ID and archived (so you can still access it if needed).


Like everything in Octopus, the Certificate functionality is exposed via our HTTP REST API and is consumable via our .NET client library. This should make it possible to integrate Octopus Certificates into whatever process your organization uses to manage X.509 certificates.

In particular, expiry-notifications via Subscriptions, combined with the Replace API endpoint, should open some interesting possibilities. This is something we hope to write about further in the future.


And as always, please tell us what you think. We love hearing from our users.

Happy (cryptographically-secure) Deployments!

Tagged with: New Releases