Proper way to replace a certificate that is about to expire on a server

I am fairly new to Octopus Deploy and am trying to come up with an optimized deployment process to replace an expiring certificate on a server running IIS. I am on Octopus 3.14.159. I have the current and new certificate loaded into the Octopus Deploy certificates library. The process I came up with so far is:

  1. Install new certificate (Import Certificate).
  2. Bind IIS website to new certificate (Run a Script)
  3. Test IIS website (Run a Script)
  4. Remove old certificate (Run a Script)

Step #4 is particularly problematic because I am specifying the old certificate by its thumbprint in an Octopus Deploy variable. Each time the certificate expires I need to update the Octopus Deploy variable with the thumbprint of the expiring certificate. It would be nice if I could reference the expiring certificate in the Octopus Deploy certificates library to retrieve the thumbprint for the removal of the certificate from the server. Is that possible? Maybe I am making this all too complicated and there is an easier way. Is there an easier process?

Hi Ron,

Thanks for getting in touch! I think you may be able to benefit from our subscription feature. This feature lets you subscribe to events that happen on the Octopus server, then either send an email, or subscribe to a webhook. This could be used with the API to do what you are after with some custom scripting.

If you would like to see some documentation on our subscription feature, you can see the following page:

You are able to subscribe to the following events:

Certificate expired
Certificate expiry 10-day warning
Certificate expiry 20-day warning
Certificate private-key exported
Certificate replaced

Other than that, I’m not too sure if there are any direct options in Octopus to handle this.

Let me know what you think. If you have any further questions at all, please feel free to let me know.

Best regards,

Thank you for the information. I did not know about this feature and will make use of it. However it doesn’t directly pertain to the issue I am having.

  1. Are the steps I am following to update an expired certificate the most streamline process?
  2. In step #4 is there an easy way to retrieve the thumbprint from the expired certificate in Octopus Deploy certificates library?

Hi Ron,

Thanks for getting back! I have some further information for you here that should help. My last answer didn’t mention our certificate feature which has an inbuilt archive which automatically archives replaced certs.

I believe the archive feature is what you are after here. Our documentation on certificates has detailed steps on how we designed our certificates feature to be used.

Let me know if the above helps or if you still have questions here. :slight_smile:

Best regards,

Thank you for your assistance but I believe you are misunderstanding what I am asking.
Suppose I have a web server where I have a certificate that is about to expire on 9/8/17. I load a renewed certificate with an expiration date of 9/8/18 into Octopus Deploy. I then use Octopus Deploy to install the renewed certificate. At this point the old certificate, that is about to expire on 9/8/17 is still on the web server. What is the best method to remove the old certificate from the web server using Octopus Deploy?

Hi Ron,

I’m sorry misinterpreting your question and for the delay in getting back to you here. I ran this past the team and did some digging. It looks like your current solution of using a script step is the only way Octopus is able to do this.

It sounds like you already have a working solution for removing the old certificates via script. However, I thought I would provide you the following link anyway. :slight_smile:

Again sorry for the delay in responding to you here.

Best regards,

Thank you for the information and the link to the PowerShell article.

As a side note, I am fairly new to Octopus Deploy and the support staff at Octopus Deploy have been very helpful with all my support requests. Keep up the great work!!
Thank you!!