IIS Certificate per Environment

Michael's Avatar


05 Feb, 2018 09:39 PM

We have a single project that is deployed to numerous locations that each need a unique ssl certificate. Our certs need to go 3 levels deep (ex: "server.location.corp.com"), and it doesn't seem like we can create double wildcard ("*.*.corp.com") cert (might be a limitation of DigiCert?), so we are creating a child cert for each location, adding the server as a Subject Alternative Name to our "*.corp.com" cert.

Since we're creating a new cert for each location, we can't just use the thumbprint. So I added a certificate to octopus and restricted it to the environment that it would be deployed to. I created a variable for that cert, and can select it for the binding... but since I need it to use a different cert for each environment it looks like I need to create the same variable for each cert, and use the scope to define which environment it will go to - is that right? What's the point then of having environment restrictions on the cert itself? Am I on the right track, or is there a better way to accomplish this?

  1. Support Staff 1 Posted by Eddy Ma on 06 Feb, 2018 03:27 AM

    Eddy Ma's Avatar

    Hi Michael,

    Thanks for getting in touch! Your settings look good to me. Having the environment as a restriction on the certificate itself is a security concern, especially if the certificate contains a production private key. You can get more information about environment restriction on certificate from the following documentation page.

    Hope that helps.


  2. 2 Posted by Michael on 07 Feb, 2018 11:23 PM

    Michael's Avatar

    I've seen the documentation, and your response doesn't really answer my question -
     other than it seems like you're vaguely confirming that the environment restrictions on the cert are redundant to restricting them on the variable since the later would be required.

    If we have to define each cert via the variables, and override which is used via the scope, then that means every time we add a new environment to deploy to we would have to update the variables in the package to be deployed - right?

  3. Support Staff 3 Posted by Kenneth Bates on 09 Feb, 2018 12:05 AM

    Kenneth Bates's Avatar

    Hi Michael,

    I'm taking over for Eddy, as he's currently on holiday. :)

    The environment restriction on the certificate is optional, and it is to prevent from being accidentally used by different environments.

    For the second question, yes, you will need to add a new value for the variable for each newly added environment.

    Don't hesitate to reach out if you have any further questions going forward. :)

    Kind regards,


  4. 4 Posted by Michael on 09 Feb, 2018 12:14 AM

    Michael's Avatar

    My main question is if there is any way to accomplish what I need without having to update the release package variables every time we add a new environment to deploy to?

    Updating the variables could have some bad consequences if there has been more changes than just the new cert, so it leaves a lot of room for human error.

  5. Support Staff 5 Posted by Kenneth Bates on 09 Feb, 2018 05:58 AM

    Kenneth Bates's Avatar

    Hi Michael,

    Thanks for following up so quickly. I get what you mean about the potential for human error, though unfortunately there's no way to accomplish this without having to update variables for every new environment. I'd recommend adding this suggestion on our UserVoice site, which is the main avenue we consult when considering new features/enhancements.

    Sorry it's not better news! Let me know if there's anything else we can assist with.

    Kind regards,


Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:


Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac