Download certificate from Octopus to disk


I’m deploying Docker container and I require a certificate to be available when the app starts. I’m thinking of simply mounting a volume, store the certificate on disk and then use path/password to load the certificate at application startup.

How can I download the certificate to disk? Certificates are managed by Octopus.


Hi @joakim.carselind,

Thanks for getting in touch!

You can use certificate variables to extract the certificate in the desired format.
$OctopusParameters["CertName.CertificatePem"] | Out-File $pfxPath -Force -Verbose

When working with this in the past I’ve noticed a few oddities, such as when using RawOriginal, the output seemed to be base64 encoded requiring it to be decoded first.

$data = $OctopusParameters["CertName.RawOriginal"]
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($data)) | Out-File -Encoding "ASCII" $pfxPath

Let me know if you run into any issues with this.


Thanks for quick answer. It seem there is no pwsh on target… Can it be done in bash?

PATH=$(get_octopusvariable 'Octopus.Action.Package.InstallationDirectoryPath')
echo "Downloading $CERT to $PFX"
# TODO How to output
cat $(get_octopusvariable $CERT.CertificatePem) >> $PFX

I don’t have much experience with bash, but the certificate variables would be available to a bash script so it should be possible.

Is your bash sample not working as expected?

Just tried it and it seem that the PATH (Octopus.Action.Package.InstallationDirectoryPath) is null. How can I get the location for the current deploy folder?

Octopus.Action.Package.InstallationDirectoryPath returns the location that the package in the current step is extracted to. If this bash script is running in a separate step to the package extraction it won’t be available.

The options would be to either use a custom installation directory within the package step, and use a project variable for this value which you could then use again in the bash script.

Or add the custom scripts feature to the package deploy step, and add a script that adds to an output variable.
Set-OctopusVariable -name "installFolder" -value $(get_octopusvariable 'Octopus.Action.Package.InstallationDirectoryPath')

Hi @paul.calvert

I took another way by utilizing a Docker entrypoint script and the .NET certificate tool. So basically


if [ ! -z $1 ]; then
  # Getting the expected string to pass to raw isn't obvious
  # In Powershell:
  #   $fileName = "PFX file name"
  #   $bytes = Get-Content $fileName.pfx -Encoding Byte
  #   [System.Convert]::ToBase64String($bytes) | Out-File $fileName.txt
  # IMPORTANT! Open notepad++ and ensure no BOM and encoding is UTF8
  echo "Install certificate with thumbprint $thumbprint"
  /tools/certificate-tool add -b $raw -p $password -t $thumbprint
  if [ $lastexitcode -ne 0 ]; then
    echo "Error installing certificate"
    exit $lastexitcode

dotnet app.dll

Then I pass the values in from Run a Docker container step by passing them using Additional Arguments > Command field. Not additional arguments since they need to be last in the invocation.

This way I don’t need to mount volume or files nor pollute environment variables.


1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.