Octopus Deploy Documentation

Certificate variables

Last updated

In the variable-editor, selecting Certificate as the variable type allows you to create a variable with a certificate managed by Octopus as the value.

Certificate variables can be scoped, similar to regular text variables.

Expanded properties

At deploy-time, certificate variables are expanded. For example, a variable MyCertificate becomes:

Variable Description Example value
MyCertificate The certificate ID Certificates-1
MyCertificate.Type The variable type Certificate
MyCertificate.Name The user-provided name My Development Certificate
MyCertificate.Thumbprint Thumbprint A163E39F59560E6FE33A0299D19124B242D9B37E
MyCertificate.RawOriginal The base64 encoded original file, exactly as it was uploaded.
MyCertificate.Password The password specified when the file was uploaded.
MyCertificate.Pfx The base64 encoded certificate in PKCS#12 format, including the private-key if present.
MyCertificate.Certificate The base64 encoded DER ASN.1 certificate.
MyCertificate.PrivateKey The base64 encoded DER ASN.1 private key. This will be stored and transmitted as a sensitive variable.
MyCertificate.CertificatePem The PEM representation of the certificate (i.e. the PublicKey with header\footer).
MyCertificate.PrivateKeyPem The PEM representation of the private key (i.e. the PrivateKey with header\footer).
MyCertificate.ChainPem The PEM representation of any chain certificates (intermediate or certificate-authority). This variable does not include the primary certificate.
MyCertificate.Subject The X.500 distinguished name of the subject
MyCertificate.SubjectCommonName The un-attributed subject common name
MyCertificate.Issuer The X.500 distinguished name of the issuer
MyCertificate.NotBefore NotBefore date 2016-06-15T13:45:30.0000000-07:00
MyCertificate.NotAfter NotAfter date 2019-06-15T13:45:30.0000000-07:00

Example usage

Given the certificate variable MyCertificate, you can access the certificate thumbprint in a script like this:

Write-Host $OctopusParameters["MyCertificate.Thumbprint"]
thumbprint=$(get_octopusvariable "MyCertificate.Thumbprint")
echo "$thumbprint"

It's possible to write the PEM representation of the certificate to a file for use directly with a web server e.g. Apache, or a reverse proxy like NGINX. In bash, the script looks like this:

CERT=$(get_octopusvariable "MyCertificate.CertificatePem")
echo "$CERT" > my_cert.crt

If your certificate also contains any chain certificates (e.g. intermediate or certificate authority), they can be written to a file that contains the primary certificate too. The following example shows how to do so in bash:

CERT=$(get_octopusvariable "MyCertificate.CertificatePem")
CHAIN=$(get_octopusvariable "MyCertificate.ChainPem")
COMBINED_CHAIN="$CERT\n$CHAIN"
echo -e "$COMBINED_CHAIN" > my_combined.crt

If your certificate also has a private key that you need to export, you can use the PrivateKeyPem property using bash:

KEY=$(get_octopusvariable "MyCertificate.PrivateKeyPem")
echo "$KEY" > ssl.key

Learn more

Need support? We're here to help.