CSP attributes on PFX Certificates don't survive round-tripping?

I’ve been exploring the new Octopus certificates feature to handle deployment of self-signed client certificates that we use to sign JWT tokens for authorising REST requests with Salesforce.

The certificate in question has been created with OpenSSL, and exported a PFX file via openssl’s ‘pkcs12’ command. In this case we explicity set the CSP as well (see http://hintdesk.com/c-how-to-fix-invalid-algorithm-specified-when-signing-with-sha256/ for more).

I can store the certificate fine. If I download the certifiicate in the original format I get the same file back. However if I export as PFX (which the certificate originally was) then the CSP attribute appears to have been stripped from the certificate.

I need to get the certificate into an Azure App Service web site, and implemented a custom Powershell step to do this using the Kudi VFS API to upload files. However the .Pfx property of the certificate variable doesn’t give me the certificate in that format with the CSP attribute in tact, and there doesn’t seem to be another way to get the certificate in its original PKCS12/.pfx format.

Oddly enough, this discussion isn’t appearing on the main list at http://help.octopusdeploy.com/discussions/problems/ ?

Oh ok, now it is!

Hi James,

I can see why this would be happening. The Microsoft CSP Name is stored as a “bag attribute” of the PFX file. It’s not actually part of the certificate, which would explain why it is being lost in translation.

I have created an issue for us to support round-tripping these bag attributes.

We’ll get this resolved as soon as possible. We apologize for any inconvenience.


A resolution for this issue was included in release 3.11.13 of Octopus. The PFX attributes (including Microsoft CSP) should be included in the deployed PFX now.