Octopus Deploy Documentation

Certificate Chains

Last updated

Uploaded PFX or PEM files may contain a certificate-chain. i.e. A certificate with a private-key, plus one or more authority certificates.

Certificates which contain a chain are indicated by a chain icon on the certificate card, as shown below:

The details page will show the details of all certificates in the chain:

Importing Certificate Chains

When a certificate-chain is imported to one of the Windows Certificate Stores (either via the Import Certificate Step or by using the Certificate in an IIS HTTPS Binding) the authority certificates will be automatically imported into the CA or Root stores (Root if the authority certificate is self-signed, CA otherwise as it is an intermediate authority).

Note: Authority certificates will be always be imported to the LocalMachine location, even if the subject certificate is imported to a user-specific location.
This is because importing to the Root store for a specific user results in a security-prompt being displayed, which obviously doesn't work with automated deployments.

Downloading Certificate Chains

When downloading a certificate containing a chain, the behavior depends on the format being downloaded.

  • Original: The downloaded file will be exactly what was originally uploaded.
  • PFX: The entire chain will be included in the exported file.
  • DER: Only the subject certificate will be included. DER files never contain chains.
  • PEM: Download-dialog provides options to include:
    • Primary Certificate.
    • Primary and Chain Certificates.
    • Chain Certificates Only.

Download Chain in PEM format dialog

Welcome! We use cookies and data about how you use our website allow us to improve the website and your experience, and resolve technical errors. Our website uses cookies and shares some of your data with third party analytics companies for these purposes.

If you decline, we will respect your privacy. A single cookie will be used in your browser to remember your preference.