Certificates become first-class Octopus citizens with Release 3.11!
Last year we asked for your feedback on our initial designs for this feature. The responses were positive and many. It was very clear that automating certificates is a pain in the... deployment pipeline. Hopefully we can ease that a little.
The Certificates feature allows you to:
- Store your certificates in Octopus
- Create variables with a certificate as the value
- Import certificates into Windows Certificate Stores via the new Import Certificate deployment step
- Reference certificate variables when configuring HTTPS bindings
- Export certificates in any of the supported formats
- Configure Subscriptions to notify when certificates are close to expiry, or have expired
- Replace a certificate
- Archive a certificate when you wish to retire it gracefully
Certificates can be uploaded in PFX, PEM, or DER formats, and may include private-keys. They can be scoped to Environments and\or Tenants. You can search for certificates, and they provide a visual indication when they are approaching expiry.
You can create variable with a certificate as the value.
This concept of typed variables is new to Octopus. Understanding the type of a variable opens many possibilities that aren't available when variables are simply text. You can expect to see other types of variables in the future.
Certificate variables are used by the new Import Certificate step, and can also be used in IIS binding configurations.
They can also be used in your own custom scripts. As we suggested in our RFC post for this feature, at deployment time certificate variables are expanded into many variables, essentially simulating O-O properties using dot-notation. See our documentation for the available properties.
Import Certificate Deployment Step
We have added a new Import Certificate step, making it easy to import a certificate managed by Octopus into a Windows Certificate Store as part of your deployment process.
Reference certificate variables when configuring HTTPS bindings
You can... exactly what the title above suggests.
Certificates can be exported in PFX, PEM, or DER formats. Or you can export them exactly as they were originally uploaded.
For PEM format, you can choose whether the private-key is included or not.
Configure Expiry Notifications
Octopus Subscriptions can be created to fire when a certificate is 20-days-from-expiry, 10-days-from-expiry, or on expiry.
The subscriptions can be configured to send an email or post to a URL. See the Integration section below for a few thoughts on this.
Replace a Certificate
When a replacement is obtained for a certificate that is due to expire, it is likely that you want to replace all usages of the expired certificate with the new one. The Replace feature supports this by allowing you to upload the new certificate file. The new certificate will inherit all the Octopus properties of the old certificate (Name, Environments, etc) including the ID. This has the effect that all referencing variables will now point to the new certificate. The previous certificate is given a new ID and archived (so you can still access it if needed).
Like everything in Octopus, the Certificate functionality is exposed via our HTTP REST API and is consumable via our .NET client library. This should make it possible to integrate Octopus Certificates into whatever process your organisation uses to manage X.509 certificates.
In particular, expiry-notifications via Subscriptions, combined with the Replace API endpoint, should open some interesting possibilities. This is something we hope to write about further in the future.
And as always, please tell us what you think. We love hearing from our users.
Happy (cryptographically-secure) Deployments!