Certificate variables

In the variable-editor, selecting Certificate as the variable type allows you to create a variable with a certificate managed by Octopus as the value.

Certificate variables can be scoped, similar to regular text variables.

Expanded properties

At deploy-time, certificate variables are expanded. For example, a variable MyCertificate becomes:

VariableDescriptionExample value
MyCertificateThe certificate IDCertificates-1
MyCertificate.TypeThe variable typeCertificate
MyCertificate.NameThe user-provided nameMy Development Certificate
MyCertificate.RawOriginalThe base64 encoded original file, exactly as it was uploaded.
MyCertificate.PasswordThe password specified when the file was uploaded.
MyCertificate.PfxThe base64 encoded certificate in PKCS#12 format, including the private-key if present. If the originally uploaded certificate was password-protected (i.e. MyCertificate.Password is not empty), then this value will also be a password-protected PFX (PKCS#12) format.
MyCertificate.CertificateThe base64 encoded DER ASN.1 certificate.
MyCertificate.PrivateKeyThe base64 encoded DER ASN.1 private key. This will be stored and transmitted as a sensitive variable.
MyCertificate.CertificatePemThe PEM representation of the certificate (i.e. the PublicKey with header\footer).
MyCertificate.PrivateKeyPemThe PEM representation of the private key (i.e. the PrivateKey with header\footer).
MyCertificate.ChainPemThe PEM representation of any chain certificates (intermediate or certificate-authority). This variable does not include the primary certificate.
MyCertificate.SubjectThe X.500 distinguished name of the subject
MyCertificate.SubjectCommonNameThe un-attributed subject common name
MyCertificate.IssuerThe X.500 distinguished name of the issuer
MyCertificate.NotBeforeNotBefore date2016-06-15T13:45:30.0000000-07:00
MyCertificate.NotAfterNotAfter date2019-06-15T13:45:30.0000000-07:00

Example usage

Given the certificate variable MyCertificate, you can access the certificate thumbprint in a script like this:

Write-Host $OctopusParameters["MyCertificate.Thumbprint"]
thumbprint=$(get_octopusvariable "MyCertificate.Thumbprint")
echo "$thumbprint"

It’s possible to write the PEM representation of the certificate to a file for use directly with a web server e.g. Apache, or a reverse proxy like NGINX. In bash, the script looks like this:

CERT=$(get_octopusvariable "MyCertificate.CertificatePem")
echo "$CERT" > my_cert.crt

If your certificate also contains any chain certificates (e.g. intermediate or certificate authority), they can be written to a file that contains the primary certificate too. The following example shows how to do so in bash:

CERT=$(get_octopusvariable "MyCertificate.CertificatePem")
CHAIN=$(get_octopusvariable "MyCertificate.ChainPem")
echo -e "$COMBINED_CHAIN" > my_combined.crt

If your certificate also has a private key that you need to export, you can use the PrivateKeyPem property using bash:

KEY=$(get_octopusvariable "MyCertificate.PrivateKeyPem")
echo "$KEY" > ssl.key

Learn more

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Thursday, October 12, 2023